Wago: Vulnerability in Smart Designer Web-Application
Monitor4.3VDE-2023-045Dec 5, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
WAGO Smart Designer versions 2.33.1 and earlier contain an information disclosure vulnerability in the web application. An attacker with valid credentials can enumerate projects and usernames by making iterative requests to a specific endpoint. This endpoint lacks proper authorization checks, allowing authenticated users to extract system configuration details beyond their intended access level.
What this means
What could happen
An attacker with valid credentials could enumerate existing projects and usernames in your Smart Designer installation, potentially gaining information to facilitate further attacks on your automation systems.
Who's at risk
This affects organizations running WAGO Smart Designer for automation and control system configuration, particularly utilities and manufacturers using WAGO automation platforms for process control and monitoring.
How it could be exploited
An attacker with valid engineering or administrator credentials could make repeated requests to a specific endpoint in the Smart Designer web application to iterate through project names and usernames, extracting this information without authorization checks.
Prerequisites
- Valid Smart Designer user credentials (engineering account or higher)
- Network access to Smart Designer web application port
- Knowledge of the vulnerable endpoint
remotely exploitablerequires valid credentialsinformation disclosureno authentication on enumeration endpoint
Affected products (1)
ProductAffected VersionsFix Status
Smart Designer <=2.33.1≤ 2.33.12.34
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate WAGO Smart Designer to version 2.34 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0019da46-f2c8-411b-8e6c-6e2181726aae