WAGO: Year 2038 problem

MonitorCVSS 6.5VDE-2025-007Apr 15, 2025

WAGO

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The Year 2038 Problem affects WAGO controllers and touch panels that use 32-bit integers to represent time as seconds since January 1, 1970. On January 19, 2038, at 03:14:07 UTC, the time value will overflow the 32-bit maximum, causing the internal clock to reset to a negative value. This will disrupt any processes relying on accurate system time, including logging, scheduling, and time-based control logic. Affected products include CC100, PFC100 G1/G2, PFC200 G1/G2, TP600 touch panels, and Edge Controller units. The fix is available in firmware version 04.07.01 (FW29) for most products and version 03.10.11 (FW22 Patch 2) for PFC100 G1 and PFC200 G1 variants.

What this means

What could happen

When the system date reaches January 19, 2038, 32-bit time overflow will cause these WAGO controllers and touch panels to malfunction, potentially stopping normal operations or causing incorrect timing-dependent actions in industrial processes.

Who's at risk

Municipal and industrial operators using WAGO industrial controllers and touch panels should be concerned. Affected devices include the CC100, PFC100/PFC200 programmable logic controllers, TP600 touch panels, and Edge Controller units commonly deployed in water authorities, wastewater treatment, electrical distribution, and other critical infrastructure automation systems.

How it could be exploited

This is not a typical security vulnerability exploited by an attacker. Instead, it is a time-based fault that will trigger automatically on January 19, 2038 when the controller's internal clock rolls over. At that moment, any process that depends on accurate time—such as logging, scheduling, or time-based state machines—will fail or behave unpredictably.

Prerequisites

Device must be in operation on or after January 19, 2038
Device firmware must be below the patched version
Device must rely on internal time-based functions for critical operations

Year 2038 overflow will affect all unpatched devices on that dateLow EPSS score but high operational impact on future systemsNo workaround once the fault occurs

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (24)

24 with fix

ProductAffected VersionsFix Status

CC100 0751-9x01<04.07.0104.07.01

CC100 0751-9x01<04.07.01 (70)04.07.01

PFC100 G1 0750-810x/xxxx-xxxx<03.10.1103.10.11

PFC100 G2 0750-811x-xxxx-xxxx<04.07.0104.07.01

PFC100 G2 0750-811x-xxxx-xxxx<04.07.01 (70)04.07.01

Remediation & Mitigation

0/8

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

CC100 0751-9x01

HOTFIXUpdate CC100 0751-9x01 to firmware version 04.07.01 or later

PFC100 G1 0750-810x/xxxx-xxxx

HOTFIXUpdate PFC100 G1 0750-810x/xxxx-xxxx to firmware version 03.10.11 or later

PFC100 G2 0750-811x-xxxx-xxxx

HOTFIXUpdate PFC100 G2 0750-811x-xxxx-xxxx to firmware version 04.07.01 or later

PFC200 G1 750-820x-xxx-xxx

HOTFIXUpdate PFC200 G1 750-820x-xxx-xxx to firmware version 03.10.11 or later

PFC200 G2 750-821x-xxx-xxx

HOTFIXUpdate PFC200 G2 750-821x-xxx-xxx to firmware version 04.07.01 or later

Edge Controller 0752-8303/8000-0002

HOTFIXUpdate Edge Controller 0752-8303/8000-0002 to firmware version 04.07.01 or later

All products

HOTFIXUpdate TP600 touch panels (all model variants) to firmware version 04.07.01 or later

Long-term hardening

0/1

HARDENINGPlan and schedule firmware update maintenance window well in advance of January 2038 to minimize operational disruption

CVEs (1)

CVE-2025-0101

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7f7e1c63-d0d2-4f82-862a-a24fd11ea327

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.