WAGO: Remote Code execution vulnerability in managed Switches

Act Now9.8VDE-2023-037Nov 21, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WAGO Industrial Managed Switches (models 0852-0602, 0852-0603, 0852-1605) are vulnerable to remote code execution via command injection in the web-based management interface. An attacker can inject arbitrary commands without authentication, gaining full control of the switch.

What this means

What could happen

An attacker with network access to the management interface can inject arbitrary commands and gain complete control of the industrial switch, potentially disrupting network connectivity or altering traffic flow critical to production operations.

Who's at risk

Manufacturing facilities and utilities that rely on WAGO Industrial Managed Switches (models 0852-0602, 0852-0603, 0852-1605) for network infrastructure should prioritize this vulnerability. The switches provide critical network connectivity for automation systems, process control, and interoperability between field devices and control centers.

How it could be exploited

An attacker sends a specially crafted request to the web-based management interface of the switch. The application does not properly sanitize input, allowing the attacker to inject shell commands that execute with the privilege level of the web service, giving the attacker the ability to control the device.

Prerequisites

Network access to the web management interface (typically HTTP/HTTPS, port 80/443)
No authentication required to reach the vulnerable endpoint

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for older firmware versionsHigh CVSS score (9.8)Affects network infrastructure critical to plant operations

Affected products (2)

2 pending

ProductAffected VersionsFix Status

Industrial Managed Switch<1.2.5.S0No fix yet

Industrial Managed Switch<1.0.6.S0No fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to the management interface using firewall rules; allow only trusted engineering workstations and automation platforms to reach the switch on ports 80 and 443

HARDENINGDo not directly connect the switch to the internet or untrusted networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Industrial Managed Switch

HOTFIXUpdate WAGO Industrial Managed Switch models 0852-0602 and 0852-0603 to firmware version 1.0.6.S0 or later

HOTFIXUpdate WAGO Industrial Managed Switch model 0852-1605 to firmware version 1.2.5.S0 or later

Long-term hardening

0/1

HARDENINGPlace the industrial switch on a segregated management network separate from production control networks

CVEs (1)

CVE-2023-4149

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/781d5fd1-ef17-4390-a1e5-0d7f23b5794a