Wago: Multiple vulnerabilities in web-based management of multiple products

Plan PatchCVSS 8.8VDE-2023-039Mar 13, 2024

WAGOManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Multiple cross-site-scripting vulnerabilities exist in the web-based management interface of WAGO programmable logic controllers. These vulnerabilities allow attackers to inject malicious scripts via configuration data, potentially leading to remote code execution. The vulnerabilities affect several WAGO controller models across firmware versions FW13 and earlier. Fixes are available for some product lines (Ethernet Controller 3rd Gen and Fieldbus Coupler Ethernet 3rd Gen via FW14), but controllers with BACnet/IP and BACnet MS/TP protocols have no fix planned.

What this means

What could happen

An attacker could execute malicious scripts on the web-based management interface, potentially gaining control of PLC configuration and logic, or in some cases running arbitrary code that could alter process behavior or stop operations.

Who's at risk

Manufacturing facilities using WAGO PLCs for process automation, including those running BACnet/IP or MS/TP controllers and Ethernet-based controllers. Specifically affects production control systems where these devices manage critical processes.

How it could be exploited

An attacker crafts a malicious configuration or script that exploits the cross-site-scripting vulnerability in the WBM interface. If the device is accessible over the network and an authorized user loads the malicious content, the attacker's code executes with the same privileges as the user, potentially allowing remote code execution depending on configuration.

Prerequisites

Network access to the web-based management port (typically port 80/443)
User with access to the WBM interface must view or interact with the malicious content
WBM must be enabled on the device

remotely exploitableno authentication requiredlow complexityhigh CVSS score (8.8)no patch available for two product linesaffects control system configuration

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (4)

2 with fix2 EOL

ProductAffected VersionsFix Status

Ethernet Controller 3rd Generation≤ FW13FW14

Fieldbus Coupler Ethernet 3rd Generation≤ FW13FW14

Controller BACnet MS/TP≤ FW13No fix (EOL)

Controller BACnet/IP≤ FW13No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDDisable web-based management via command line if not required for operations

HARDENINGRestrict network access to the WBM port to only authorized engineering workstations and administrative networks

HARDENINGDo not directly connect affected PLC devices to the internet; keep them on isolated or segmented internal networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Ethernet Controller 3rd Generation

HOTFIXUpdate Ethernet Controller 3rd Generation to firmware FW14 or later

Fieldbus Coupler Ethernet 3rd Generation

HOTFIXUpdate Fieldbus Coupler Ethernet 3rd Generation to firmware FW14 or later

All products

HARDENINGDisable unused TCP and UDP ports on the device

CVEs (2)

CVE-2018-25090 CVE-2015-10123

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9d85e63f-ef2a-44a8-96c4-b40494dcc38a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.