WAGO: Multiple products - Loss of MAC-Address-Filtering after reboot
Plan Patch7.5VDE-2022-042Oct 17, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The MAC address filter (firewall control) on WAGO Compact Controllers, Edge Controllers, and PFC controllers fails to activate after device reboot. This allows any network-connected device to bypass the MAC filter and access the controller until an administrator manually re-enables filtering. The flaw affects firmware versions 03.01.07(13) through 03.10.08(22) (or 03.10.09(22) for certain PFC variants). Affected product lines include WAGO Compact Controller CC100, WAGO Edge Controller, and WAGO PFC100/PFC200 controllers. Some product variants (750-81xx/xxx-xxx in certain firmware ranges) have no vendor fix available.
What this means
What could happen
After a device reboot, MAC address filtering (a firewall control that blocks unauthorized devices) fails to activate, allowing any device on the network to access the controller until an administrator manually re-enables the filter. An attacker can exploit this window to send commands to alter process setpoints or shut down production equipment.
Who's at risk
Water utilities, electrical distribution systems, and manufacturing plants using WAGO Compact Controllers (CC100), WAGO Edge Controllers, or WAGO PFC controllers (750-81xx and 750-82xx series) for PLC functions, process automation, or edge intelligence. Any site relying on MAC filtering as a primary network access control to these devices.
How it could be exploited
An attacker on the same network reboots or monitors for a reboot of the WAGO controller. After reboot, the MAC filter remains inactive, allowing the attacker to send network traffic directly to the device (HTTP, telnet, Modbus, or other protocols) without being blocked by the normally-active MAC filter. The attacker can then interact with the web interface or industrial protocols to issue control commands.
Prerequisites
- Network access to the WAGO controller on the same segment
- Controller must be rebooted (either by attacker or through normal maintenance)
- No additional credentials required if web interface or Modbus port is otherwise exposed
Remotely exploitableNo authentication required after filter failureLow complexity exploitationAffects controllers with safety and process control functionsNo patch available for some product variants
Affected products (4)
2 with fix2 pending
ProductAffected VersionsFix Status
WAGO Compact Controller CC10003.01.07(13)≤ 03.10.08(22)03.10.10(22)
WAGO Edge Controller03.01.07(13)≤ 03.10.08(22) 04.01.10(23
750-81xx/xxx-xxx03.01.07(13)≤ 03.10.09(22)No fix yet
750-81xx/xxx-xxx03.01.07(13)≤ 03.10.08(22)No fix yet
Remediation & Mitigation
0/5
Do now
0/1750-81xx/xxx-xxx
WORKAROUNDFor 750-81xx/xxx-xxx models without a vendor fix available, manually verify and reactivate MAC Address Filtering in device settings after every reboot or maintenance window
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
WAGO Compact Controller CC100
HOTFIXUpdate WAGO Compact Controller CC100 (750-81xx/xxx-xxx, 750-8217/xxx-xxx, 750-82xx/xxx-xxx) to firmware version 03.10.10(22) or later
WAGO Edge Controller
HOTFIXUpdate WAGO Edge Controller (751-9301) to firmware version 04.01.10(23) or later
Long-term hardening
0/2HARDENINGIsolate WAGO controllers to a separate network segment with firewall rules that restrict inbound network access to only authorized engineering workstations
HARDENINGEstablish a post-reboot verification procedure to confirm MAC Address Filter is active before returning the device to production
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/63ff5217-9363-47f5-812c-db4c1131af36