WAGO: Series 750-3x/-8x prone to MODBUS server DoS

Plan Patch7.5VDE-2023-005Jun 25, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An unauthenticated attacker with network access to port 502/TCP of WAGO Series 750-3x/-8x controllers and field bus couplers can cause a denial-of-service condition by sending multiple specially crafted MODBUS packets. The MODBUS server does not properly release memory resources reserved for incomplete connection attempts, allowing memory exhaustion and device unavailability.

What this means

What could happen

An attacker can crash or freeze your WAGO controller by overwhelming its MODBUS port with specially crafted packets, disrupting whatever process it controls—whether that's HVAC, water treatment, or electrical distribution—until the device is manually rebooted.

Who's at risk

Water utilities, municipal electric systems, building automation operators, and other facility managers running WAGO Series 750-3x/-8x controllers or field bus couplers with BACnet/IP, EtherNet/IP, or MODBUS TCP should assess this risk. These controllers commonly manage HVAC, water treatment, pump sequencing, electrical switchgear, and other critical plant functions.

How it could be exploited

An attacker sends malformed MODBUS TCP packets to port 502 of a vulnerable WAGO controller. Each packet claims to start a new connection but does not complete it properly. The controller allocates memory for each incomplete connection but fails to release it when the attacker abandons the connection. After enough incomplete connections, the controller runs out of memory and stops responding to legitimate MODBUS requests or stops operation entirely.

Prerequisites

Network reachability to port 502/TCP on the target device
MODBUS server enabled (default configuration)
No authentication required

remotely exploitableno authentication requiredlow complexityaffects availability of industrial control devicescommon in water and utility automation

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

BACnet/IP Controller (4th Gen)≤ FW10FW11 after BACnet certification

BACnet/IP Fieldbus Coupler (4th Gen)≤ FW10FW11 after BACnet certification

EtherNet/IP Controller (4th Gen)≤ FW10FW11

EtherNet/IP Fieldbus Coupler (4th Gen)≤ FW10FW11

EtherNet/IP M12 Fieldbus Coupler (4th Gen)≤ FW10FW11

Modbus TCP Controller (4th Gen)≤ FW10FW11

Modbus TCP Fieldbus Coupler (4th Gen)≤ FW10FW11

Modbus TCP M12 Fieldbus Coupler (4th Gen)≤ FW10FW11

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable the MODBUS server in the device's web-based management settings if MODBUS communication is not required for operations

HARDENINGRestrict network access to port 502/TCP using a firewall or network ACL to allow only trusted engineering workstations and SCADA servers

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to FW11 or later (release dates vary by model: Q1 2023 to Q3 2023 depending on BACnet certification status)

Long-term hardening

0/1

HARDENINGIsolate WAGO controllers from untrusted networks; do not allow direct Internet access or access from corporate office networks without a demilitarized zone

CVEs (1)

CVE-2023-1150

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fd76cb03-f563-4f16-bc07-376e9ba6b3d8