WAGO: Multiple vulnerabilities in web-based management of multiple products

Act Now9.8VDE-2022-060Feb 27, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in the Web-Based Management (WBM) interface of WAGO PLCs and controllers. The configuration backend can be accessed without authentication in some cases, allowing root-level write operations. Additionally, CORS misconfiguration enables reflected XSS attacks. Affected products include Compact Controller 100, Edge Controller, PFC100/200, and Touch Panel 600 series (Standard, Advanced, and Marine lines) running firmware versions FW16 through FW23. No patches are currently available for affected firmware versions.

What this means

What could happen

An attacker on your network can access the web-based management interface of WAGO controllers without credentials and perform administrative actions, including modifying PLC configuration or firmware. This could allow them to alter control logic, change setpoints, or stop production operations.

Who's at risk

Manufacturing operations using WAGO Compact Controllers, Edge Controllers, PFC controllers, and Touch Panel 600 series for process control and machine automation. Any facility relying on these devices for production operations, including discrete manufacturing plants and continuous process industries, should implement immediate network isolation measures.

How it could be exploited

An attacker on the network sends HTTP requests directly to the web-based management interface on port 80/443 of the WAGO device. Because the configuration backend lacks proper authentication in some cases, the attacker can read and write configuration data with root-level privileges. CORS misconfiguration also allows the attacker to trigger these actions from a malicious website visited by an operator.

Prerequisites

Network access to HTTP/HTTPS ports (80/443) of the WAGO device
Device must be reachable from attacker's network location
No valid credentials required for exploitation

Remotely exploitableNo authentication requiredLow complexityHigh CVSS score (9.8)No patch available for current firmware versionsAffects industrial control equipment

Affected products (14)

14 with fix

ProductAffected VersionsFix Status

Compact Controller 100FW16≤ FW22FW24 or FW22 Patch 1

Compact Controller 100FW23FW24 or FW22 Patch 1

Edge ControllerFW23FW24 or FW22 Patch 1

Edge ControllerFW18≤ FW22FW24 or FW22 Patch 1

PFC100FW23FW24 or FW22 Patch 1

PFC100FW16≤ FW22FW24 or FW22 Patch 1

PFC200FW16≤ FW22FW24 or FW22 Patch 1

PFC200FW23FW24 or FW22 Patch 1

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDDisable web-based management (WBM) on WAGO controllers if not actively required for administration or commissioning, using command-line tools

WORKAROUNDRestrict network access to WAGO controllers at the firewall; allow HTTP/HTTPS traffic (ports 80, 443) only from authorized engineering workstations or administrative networks

HARDENINGDo not connect WAGO controllers directly to the internet; ensure they are placed on an isolated OT network segment with strict ingress/egress rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXInstall firmware version FW22 Patch 1 or FW24 or higher when available from your device vendor, coordinating with your maintenance window

CVEs (4)

CVE-2022-45138 CVE-2022-45137 CVE-2022-45140 CVE-2022-45139

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b5f435a9-b9e7-41c5-8108-197ce04f3bb5