WAGO: Multiple products - Loss of MAC-Address-Filtering after reboot

Plan PatchCVSS 7.5VDE-2022-042Oct 17, 2022

WAGO

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The MAC address filter (firewall control) on WAGO Compact Controllers, Edge Controllers, and PFC controllers fails to activate after device reboot. This allows any network-connected device to bypass the MAC filter and access the controller until an administrator manually re-enables filtering. The flaw affects firmware versions 03.01.07(13) through 03.10.08(22) (or 03.10.09(22) for certain PFC variants). Affected product lines include WAGO Compact Controller CC100, WAGO Edge Controller, and WAGO PFC100/PFC200 controllers. Some product variants (750-81xx/xxx-xxx in certain firmware ranges) have no vendor fix available.

What this means

What could happen

After a device reboot, MAC address filtering (a firewall control that blocks unauthorized devices) fails to activate, allowing any device on the network to access the controller until an administrator manually re-enables the filter. An attacker can exploit this window to send commands to alter process setpoints or shut down production equipment.

Who's at risk

Water utilities, electrical distribution systems, and manufacturing plants using WAGO Compact Controllers (CC100), WAGO Edge Controllers, or WAGO PFC controllers (750-81xx and 750-82xx series) for PLC functions, process automation, or edge intelligence. Any site relying on MAC filtering as a primary network access control to these devices.

How it could be exploited

An attacker on the same network reboots or monitors for a reboot of the WAGO controller. After reboot, the MAC filter remains inactive, allowing the attacker to send network traffic directly to the device (HTTP, telnet, Modbus, or other protocols) without being blocked by the normally-active MAC filter. The attacker can then interact with the web interface or industrial protocols to issue control commands.

Prerequisites

Network access to the WAGO controller on the same segment
Controller must be rebooted (either by attacker or through normal maintenance)
No additional credentials required if web interface or Modbus port is otherwise exposed

Remotely exploitableNo authentication required after filter failureLow complexity exploitationAffects controllers with safety and process control functionsNo patch available for some product variants

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (4)

2 with fix2 pending

ProductAffected VersionsFix Status

WAGO Compact Controller CC10003.01.07(13)≤ 03.10.08(22)03.10.10(22)

WAGO Edge Controller03.01.07(13)≤ 03.10.08(22)04.01.10(23

750-81xx/xxx-xxx03.01.07(13)≤ 03.10.09(22)No fix yet

750-81xx/xxx-xxx03.01.07(13)≤ 03.10.08(22)No fix yet

Remediation & Mitigation

0/5

Do now

0/1

750-81xx/xxx-xxx

WORKAROUNDFor 750-81xx/xxx-xxx models without a vendor fix available, manually verify and reactivate MAC Address Filtering in device settings after every reboot or maintenance window

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WAGO Compact Controller CC100

HOTFIXUpdate WAGO Compact Controller CC100 (750-81xx/xxx-xxx, 750-8217/xxx-xxx, 750-82xx/xxx-xxx) to firmware version 03.10.10(22) or later

WAGO Edge Controller

HOTFIXUpdate WAGO Edge Controller (751-9301) to firmware version 04.01.10(23) or later

Long-term hardening

0/2

HARDENINGIsolate WAGO controllers to a separate network segment with firewall rules that restrict inbound network access to only authorized engineering workstations

HARDENINGEstablish a post-reboot verification procedure to confirm MAC Address Filter is active before returning the device to production

CVEs (1)

CVE-2022-3281

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/63ff5217-9363-47f5-812c-db4c1131af36

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.