OTPulse

WAGO: Vulnerabilities in WAGO Device Manager

MonitorCVSS 6.5VDE-2025-018Jun 16, 2025
WAGO
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Cross-origin request forgery (CORS) and unauthenticated file system access vulnerabilities exist in WAGO Device Manager embedded firmware. The Device Manager web interface fails to validate request origins (CWE-942) and does not enforce authentication on certain endpoints (CWE-306), allowing an attacker to read files from the controller filesystem or set arbitrary HTTP headers. Affected products include PFC100/PFC200 G1 and G2 controllers, TP600 panel computers, CC100 controllers, and Edge Controller 0752-8303. Only G1 models have vendor patches available; G2, TP600, and Edge Controller models are end-of-life with no fixes planned.

What this means
What could happen
An attacker could read sensitive files from WAGO PLC/controller filesystems or perform cross-origin requests to gather configuration data. This could expose controller settings, credentials, or system information that could lead to unauthorized process changes.
Who's at risk
Water authorities and utilities using WAGO PLC controllers (PFC100, PFC200, TP600, CC100, Edge Controller models) for process automation. Particularly critical for organizations that exposed these controllers to networks where untrusted users or external systems could access the embedded web management interface.
How it could be exploited
An attacker sends a crafted HTTP request to the WAGO Device Manager web interface (which is embedded in firmware) exploiting missing origin validation (CWE-942) and lack of authentication checks (CWE-306). The attacker can read files from the controller's filesystem or manipulate server headers through cross-origin requests, potentially exposing configuration or credentials stored on the device.
Prerequisites
  • Network access to the WAGO Device Manager web interface (default port 8080 or 80)
  • No authentication required
  • Device is reachable from attacker's network or the attacker can trick a user to visit a malicious webpage
Remotely exploitableNo authentication requiredLow complexity attackFile system access possibleMajority of affected product lines have no patch planned
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (22)
2 with fix20 EOL
ProductAffected VersionsFix Status
PFC100 G1 0750-810x/xxxx-xxxx<03.10.1103.10.11
PFC200 G1 750-820x-xxx-xxx<03.10.1103.10.11
CC100 0751-9x01<04.07.01No fix (EOL)
CC100 0751-9x01<04.07.01 (70)No fix (EOL)
PFC100 G2 0750-811x-xxxx-xxxx<04.07.01No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDContact WAGO support for custom firmware patches for PFC100 G2, PFC200 G2, TP600, and Edge Controller models (no standard fix available)
HARDENINGRestrict network access to the WAGO Device Manager interface (port 80/8080) to only authorized engineering workstations or administrative networks using firewall rules
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PFC100 G1 (0750-810x series) to firmware version 03.10.11 or later
HOTFIXUpdate PFC200 G1 (750-820x series) to firmware version 03.10.11 or later
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: CC100 0751-9x01, CC100 0751-9x01, PFC100 G2 0750-811x-xxxx-xxxx, PFC100 G2 0750-811x-xxxx-xxxx, PFC200 G2 750-821x-xxx-xxx, PFC200 G2 750-821x-xxx-xxx, TP600 0762-420x/8000-000x, TP600 0762-420x/8000-000x, TP600 0762-430x/8000-000x, TP600 0762-430x/8000-000x, TP600 0762-520x/8000-000x, TP600 0762-520x/8000-000x, TP600 0762-530x/8000-000x, TP600 0762-530x/8000-000x, TP600 0762-620x/8000-000x, TP600 0762-630x/8000-000x, TP600 0762-630x/8000-000x, Edge Controller 0752-8303/8000-0002, Edge Controller 0752-8303/8000-0002, TP600 0762-620x/8000-000x. Apply the following compensating controls:
HARDENINGDisable or restrict the Device Manager web interface if not actively used for remote configuration
View full CERT@VDE advisory
API: /api/v1/advisories/17e9ce4d-46ab-4e0c-9cbc-a557d4ec1caf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

WAGO: Vulnerabilities in WAGO Device Manager | CVSS 6.5 - OTPulse