Wago: Vulnerability in WBM through Open VPN

MonitorCVSS 7.2VDE-2024-008Apr 8, 2026

WAGO

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A vulnerability exists in the Web-Based Management (WBM) function when OpenVPN is enabled on WAGO industrial controllers. An authenticated attacker with administrative privileges can exploit improper privilege handling in OpenVPN to escalate access and execute arbitrary code. The vulnerability affects CC100, PFC100/G1/G2, PFC200/G1/G2, TP600, Edge Controller, and WP400 devices running firmware version 4.5.10 or earlier. WAGO has indicated no patch will be released; mitigation involves disabling OpenVPN if not required and properly configuring privilege-dropping settings per the WAGO I/O System 750/753 manual section 7.1.1.5.1.

What this means

What could happen

An attacker with high-level administrative credentials could exploit the WBM OpenVPN implementation to escalate privileges or execute arbitrary code on the controller, potentially disrupting process control or altering automation logic. No vendor patch is available.

Who's at risk

This vulnerability affects critical WAGO industrial controllers used in process automation and process monitoring across manufacturing, water/wastewater, and power generation sectors. Impacted products include programmable logic controllers (PFC/CC series), human-machine interface terminals (TP600), edge controllers, and panel-mount workstations (WP400).

How it could be exploited

An authenticated attacker with high-privilege credentials accessing the Web-Based Management interface when OpenVPN is enabled can exploit the privilege handling flaw in OpenVPN to gain elevated system access and run commands on the PLC or edge controller, affecting process execution.

Prerequisites

High-privilege (administrative) credentials for WBM access
OpenVPN must be enabled on the device
Network access to the WBM interface (typically HTTP/HTTPS on the controller)

No patch available from vendorRequires administrative credentials (reduces attack surface but critical for insider threat risk)Affects multiple industrial controller product linesHigh CVSS score (7.2)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (26)

26 EOL

ProductAffected VersionsFix Status

PFC100 G1 0750-810-xxxx-xxxx≤ 3.10.10No fix (EOL)

PFC100 G2 0750-811x-xxxx-xxxx≤ 4.5.10No fix (EOL)

PFC100 G2 0750-811x-xxxx-xxxx4.5.10No fix (EOL)

PFC200 G1 750-820x-xxx-xxx≤ 3.10.10No fix (EOL)

PFC200 G1 750-820x-xxx-xxx3.10.10No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable OpenVPN on all WAGO controllers (CC100, PFC100/200, TP600, Edge Controller, WP400) if not operationally required

HARDENINGRestrict network access to the WBM interface to only authorized engineering workstations and trusted networks using firewall rules or network segmentation

HARDENINGImplement strong authentication controls: rotate default WBM credentials, enforce complex passwords, and limit administrative account usage

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDReview and follow privilege-dropping procedures outlined in WAGO manual section 7.1.1.5.1 for OpenVPN configuration to minimize unnecessary elevated permissions

HARDENINGMonitor WAGO device logs for unauthorized WBM access attempts and OpenVPN privilege escalation indicators

CVEs (1)

CVE-2024-1490

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e1fb6d57-31d8-4645-93ec-c4fe040ac8b3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.