Wago: Vulnerabilities in IEC61850 Server / Telecontrol

Plan Patch7.5VDE-2023-044Dec 5, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The WagoAppRTU library in WAGO Telecontrol Configurator is prone to improper input validation (CWE-20). An attacker can send specially crafted MMS (Manufacturing Message Specification) packets to trigger a denial-of-service condition, causing the service to become unavailable.

What this means

What could happen

An attacker with network access can crash the AppRTU service by sending malformed MMS packets, disrupting remote terminal communications and potentially interrupting telemetry or control functions in RTU-based field equipment.

Who's at risk

This affects WAGO Telecontrol Configurator users, particularly water utilities and electric utilities that deploy WAGO RTUs for remote telemetry and control in substations, pump stations, or water treatment facilities. Any WAGO AppRTU instance running versions before 1.4.6.0 is at risk if exposed to untrusted networks.

How it could be exploited

The attacker sends a specially crafted MMS packet to the AppRTU service listening on the network. The lack of input validation on the MMS message handler causes the service to terminate abnormally, denying service to legitimate operators and automation systems that depend on that RTU for monitoring or control.

Prerequisites

Network access to the device running AppRTU on the MMS protocol port (typically 102/tcp)
No authentication required to send malicious MMS packets

remotely exploitableno authentication requiredlow complexityaffects telemetry and remote communicationsdefault MMS port exposed

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

AppRTU < 1.4.6.0<1.4.6.01.4.6.0

Telecontrol ConfiguratorAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDRestrict network access to the AppRTU MMS port (typically 102/tcp) using firewall rules to trusted engineering networks and SCADA master stations only

HARDENINGDo not expose AppRTU devices directly to the internet; ensure all remote access goes through a VPN or industrial firewall with ICS-aware filtering

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WagoAppRTU library to version 1.4.6.0 or later

CVEs (1)

CVE-2023-5188

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e26b71a8-00f8-48ce-ac53-4fb73e53d158