WAGO: Escalation of Privileges in Coupler Firmware

Plan Patch7.5VDE-2025-048Sep 8, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

A design flaw in WAGO Coupler firmware versions below 13 exposes internal system partitions containing firmware and certificates. File system permissions intended to protect these partitions are not enforced, allowing FTP and SFTP services to inadvertently access sensitive internal resources. The vulnerability requires valid user credentials and network access but can lead to unauthorized data access and potential firmware extraction.

What this means

What could happen

An attacker with valid user credentials could access internal firmware and certificate files that should be protected, allowing them to extract sensitive data or potentially modify system behavior on affected WAGO couplers.

Who's at risk

WAGO Coupler models 0750-0362, 0750-0363, 0750-0364, 0750-0365, and 0750-0366 with firmware versions below FW13 are affected. These devices are commonly used as remote I/O hubs and communication gateways in process control systems and distributed automation networks. Water utilities and power systems using WAGO couplers for SCADA remote terminal units (RTUs) or decentralized I/O should assess exposure.

How it could be exploited

An attacker with valid FTP/SFTP credentials accesses the coupler over the network. During firmware mount operations, the attacker can read files from internal system partitions that are temporarily exposed due to unenforced file system permissions. Extracted firmware or certificates could be used for further attacks.

Prerequisites

Valid FTP or SFTP user credentials on the coupler
Network access to FTP or SFTP port on the coupler
Firmware version prior to FW13 on affected coupler models

remotely exploitablerequires valid credentialsaffects data confidentiality and firmware integrityfile permission enforcement issue

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (10)

10 with fix

ProductAffected VersionsFix Status

Coupler 0750-0362<FW13FW13

Coupler 0750-0362/0000-0001<FW13FW13

Coupler 0750-0362/0040-0000<FW13FW13

Coupler 0750-0362/K013-1080<FW13FW13

Coupler 0750-0362/K019-7576<FW13FW13

Coupler 0750-0363<FW13FW13

Coupler 0750-0363/0040-0000<FW13FW13

Coupler 0750-0364/0040-0010<FW13FW13

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDDisable SFTP on affected couplers running firmware versions below 13 through device configuration

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WAGO couplers (models 0750-0362, 0750-0363, 0750-0364, 0750-0365, 0750-0366 and variants) to firmware version 13 or later

Long-term hardening

0/1

HARDENINGRestrict network access to FTP and SFTP ports on couplers to authorized engineering workstations only

CVEs (1)

CVE-2025-41664

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/16e35abd-9bbb-42f8-8472-5199e875cc92