WAGO: Improper privilege management in web-based management

Monitor5.3VDE-2023-015Nov 20, 2023

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A misconfiguration of access rights in the web-based management interface allows an authenticated user with low privileges to reset passwords of other users (except root). This privilege escalation flaw affects WAGO Compact Controller 100, Edge Controller, PFC100, PFC200, and Touch Panel 600 series devices. An attacker with a valid low-privilege account can use the configuration tool to reset administrator credentials and gain full control of the device, allowing modification of controller configuration, setpoints, and process logic.

What this means

What could happen

An authenticated user with low privileges could reset passwords of other users, allowing them to take control of the device's web management interface and alter controller configuration, process setpoints, or disable safety interlocks.

Who's at risk

WAGO industrial controller and HMI operators who use Compact Controller 100, Edge Controller, PFC100, PFC200, or Touch Panel 600 series devices for process automation, water treatment, power generation, or manufacturing. Organizations that depend on these devices for critical process control and safety interlocking.

How it could be exploited

An attacker with a low-privilege user account on the device's web interface can access a misconfigured configuration tool that allows password resets for other users. By resetting an administrator's password, the attacker gains full control of the device's web-based management interface and can modify controller logic, setpoints, or I/O configurations.

Prerequisites

Valid low-privilege user credentials for the web-based management interface
Network access to the web management port (typically 80/443)

low complexityrequires authenticationaffects multiple industrial control device families

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

Compact Controller 100≤ FW25FW26

Edge Controller≤ FW25FW26

PFC100≤ FW22 Patch1FW22 Patch 2

PFC200≤ FW22 Patch1FW22 Patch 2

Touch Panel 600 Advanced Line≤ FW25FW26

Touch Panel 600 Marine Line≤ FW25FW26

Touch Panel 600 Standard Line≤ FW25FW26

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the web management interface using firewall rules to limit connections to authorized engineering workstations only

HARDENINGDo not directly expose the web management interface to the internet; keep these devices on internal control network only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

PFC100

HOTFIXUpdate WAGO PFC100/PFC200 and Compact Controller CC100 devices to FW22 Patch 2 (available Q1 2024) or FW26 as applicable per product model

Edge Controller

HOTFIXUpdate WAGO Touch Panel 600 and Edge Controller devices to FW26

CVEs (1)

CVE-2023-3379

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/37eaafbe-5dda-470f-b2ea-e321216a1edb