WAGO: Unauthenticated Configuration Export in web-based management in multiple devices

Monitor5.9VDE-2022-054Jan 12, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

An unauthenticated attacker can export sensitive configuration and program files from WAGO PLC and controller devices via the web-based management interface without providing credentials. The vulnerability affects WAGO PFC100, PFC200, Touch Panel 600 (Advanced, Marine, Standard), Compact Controller CC100, and Edge Controller running firmware versions FW16 through FW22. The attacker gains access to proprietary control logic, process parameters, and potentially embedded credentials.

What this means

What could happen

An attacker without login credentials can download the complete configuration and program files from your WAGO controller's web interface, exposing proprietary logic, setpoints, and credentials stored in the configuration.

Who's at risk

WAGO PLC and controller operators in manufacturing and process industries who use PFC100, PFC200, Touch Panel 600 (all variants), CC100, or Edge Controller devices. This affects anyone relying on these controllers for process automation and who has the web management interface enabled.

How it could be exploited

An attacker on the network (or the internet, if the web interface is exposed) accesses the WAGO device's web management interface and requests the configuration export function without providing any authentication credentials. The device allows the export and returns a file containing the complete configuration, program code, and potentially embedded credentials.

Prerequisites

Network connectivity to the WAGO device's web management interface (default port 80/443)
No authentication credentials required

remotely exploitableno authentication requiredsensitive configuration and credential exposurelow complexity

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

Series WAGO PFC100FW16≤ FW22FW22 Patch 1

Series WAGO PFC200FW16≤ FW22FW22 Patch 1

Series WAGO Touch Panel 600 Advanced LineFW16≤ FW22FW22 Patch 1

Series WAGO Touch Panel 600 Marine LineFW16≤ FW22FW22 Patch 1

Series WAGO Touch Panel 600 Standard LineFW16≤ FW22FW22 Patch 1

Compact Controller CC100FW16≤ FW22FW22 Patch 1

Edge ControllerFW16≤ FW22FW22 Patch 1

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the web management interface to authorized engineering workstations and administrative networks only using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all WAGO controllers to FW22 Patch 1 or later

HARDENINGDisable the web management interface on production WAGO devices if not actively used for maintenance

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate PLC management interfaces from general production network traffic

CVEs (1)

CVE-2022-3738

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5c08f89b-7ca5-49a6-86ed-672a0838cb69