WAGO: Vulnerability in WAGO Navigator
Plan Patch7.8VDE-2024-021May 21, 2024
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
WAGO Navigator versions 1.0.1 and 1.0 contain a vulnerability due to the use of WiX toolset version 3.11.2. The vulnerability allows local attackers to exploit insecure file permissions and potentially gain elevated privileges on the engineering workstation. A patched version (1.0.2) is available through the WAGO download center.
What this means
What could happen
An attacker with local access to a machine running WAGO Navigator 1.0 or 1.0.1 could gain elevated privileges and read or modify files on the system, potentially compromising the integrity of engineering configurations or project files.
Who's at risk
Engineering and maintenance staff who use WAGO Navigator on Windows workstations to configure and manage WAGO industrial controllers and programmable logic controllers (PLCs). This affects anyone using legacy WAGO Navigator versions 1.0 or 1.0.1 for PLC programming and configuration.
How it could be exploited
An attacker with local access could exploit insecure file permissions or a supply chain vulnerability in the bundled WiX toolset to escalate privileges and execute arbitrary code with administrator-level access on the engineering workstation.
Prerequisites
- Local access to the machine running WAGO Navigator
- User interaction to trigger the vulnerability (likely during application use or installation)
- No special credentials or network access required
Local access requiredUser interaction neededInsecure permissions (CWE-732)Vulnerable software dependency (WiX toolset)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Navigator 1.01.01.0.2
Navigator 1.0.11.0.11.0.2
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate WAGO Navigator to version 1.0.2 or later from the WAGO download center
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a0a8e5ab-fac2-4a19-8566-7014275d7e4d