WAGO: Unauthenticated command execution via Web-based-management UPDATE A

Act Now9.8VDE-2023-007May 15, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The 'legal information' plugin of WAGO web-based-management contains a vulnerability that allows execution of arbitrary commands with the privileges of the www user. This affects multiple WAGO industrial controllers and human-machine interfaces (HMIs) running certain firmware versions. The vulnerability is remotely exploitable over the network without requiring authentication.

What this means

What could happen

An attacker on the network can execute arbitrary commands on WAGO controllers and HMIs, potentially altering process parameters, stopping operations, or modifying system configurations without warning. Physical processes controlled by these devices could be disrupted or damaged.

Who's at risk

Water utilities, municipalities, and industrial facilities using WAGO controllers should assess their exposure. This affects WAGO Compact Controller 100, Edge Controller, PFC100, PFC200 controllers, and Touch Panel 600 HMI devices. Equipment typically used for process control, automation, and monitoring in water distribution, wastewater treatment, power distribution, and other critical infrastructure.

How it could be exploited

An attacker sends a specially crafted HTTP request to the web-based-management interface targeting the 'legal information' plugin. The vulnerable plugin processes the request and executes arbitrary commands with www user privileges on the device. No authentication is required; the attack can be launched from any network path that reaches the device's HTTP port.

Prerequisites

Network access to the HTTP port (typically port 80) of the affected WAGO device
Web-based-management service is enabled on the device

remotely exploitableno authentication requiredlow complexityaffects industrial control systems (PLCs, HMIs)affects operational technology critical infrastructure

Affected products (9)

5 with fix4 pending

ProductAffected VersionsFix Status

Compact Controller 100FW23No fix yet

Compact Controller 100FW22No fix yet

Edge ControllerFW20≤ FW22FW24

PFC100FW22FW24

PFC200FW20≤ FW22No fix yet

PFC200FW23No fix yet

Touch Panel 600 Advanced LineFW23FW24

Touch Panel 600 Marine LineFW20≤ FW22FW24

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDRestrict network access to WAGO devices by implementing firewall rules to block HTTP traffic from untrusted networks; allow only from authorized engineering workstations or management networks

HARDENINGDisable web-based-management service on devices where it is not operationally required

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

Edge Controller

HOTFIXUpdate Edge Controller to FW24 or later if currently running FW20–FW22

PFC100

HOTFIXUpdate PFC100 to FW24 or later if currently running FW20–FW22

PFC200

HOTFIXUpdate PFC200 (model 750-81xx/xxx-xxx) to FW22 SP1 or later; apply FW24 if available

HOTFIXUpdate PFC200 (model 750-821x/xxx-xxx) to FW24 or later

All products

HOTFIXUpdate all Touch Panel 600 devices (Advanced, Marine, Standard) to FW22 SP1 or FW24 depending on model

Long-term hardening

0/1

HARDENINGIsolate WAGO controllers and HMIs from direct Internet access by placing them behind a firewall or air-gapping them from untrusted networks

CVEs (1)

CVE-2023-1698

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2db1d024-f5cb-41d2-a669-24f47df100de