WAGO: Escalation of Privileges in Coupler Firmware

Plan PatchCVSS 7.5VDE-2025-048Sep 8, 2025

WAGO

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

A design flaw in the file system management of WAGO Coupler firmware (models 0750-0362, 0750-0363, 0750-0364, 0750-0365, 0750-0366 and variants) exposes internal system partitions containing firmware and certificates. Although the system has a permission control layer (Nucleus), these permissions are not enforced. Services like FTP and SFTP can therefore access critical internal resources that should be protected, enabling potential firmware extraction, certificate theft, or device compromise. The vulnerability affects firmware versions prior to FW13.

What this means

What could happen

An attacker with local network access and low-level credentials could read or modify internal system files including firmware and certificates on WAGO Couplers, potentially compromising device integrity and enabling further attacks on the control system.

Who's at risk

Water utilities and manufacturers using WAGO Coupler 0750-036x series devices (especially models 0750-0362, 0750-0363, 0750-0364, 0750-0365, 0750-0366 and variants) as industrial network interfaces or remote I/O modules in their SCADA or PLC systems. This is particularly relevant for devices managing critical control logic or data that could be compromised if firmware or certificates are modified.

How it could be exploited

An attacker with valid credentials to the device could connect via FTP or SFTP and access internal system partitions that should be protected by file permissions. Because permission controls are not enforced, the attacker can read sensitive files like firmware and certificates, or potentially overwrite them to modify device behavior.

Prerequisites

Valid user credentials for FTP or SFTP access to the device
Network access to the device on port 21 (FTP) or port 22 (SFTP)
FTP enabled or SFTP not explicitly disabled (SFTP is enabled by default on affected firmware versions)

remotely exploitablelow complexityaffects sensitive system files (firmware and certificates)permission enforcement failurecredentials required but often weak or default in legacy ICS

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (10)

10 with fix

ProductAffected VersionsFix Status

Coupler 0750-0362<FW13FW13

Coupler 0750-0362/0000-0001<FW13FW13

Coupler 0750-0362/0040-0000<FW13FW13

Coupler 0750-0362/K013-1080<FW13FW13

Coupler 0750-0362/K019-7576<FW13FW13

Coupler 0750-0363<FW13FW13

Coupler 0750-0363/0040-0000<FW13FW13

Coupler 0750-0364/0040-0010<FW13FW13

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDDisable SFTP on any devices running firmware versions below 13 through the device configuration settings

HARDENINGRestrict network access to FTP (port 21) and SFTP (port 22) on affected Couplers to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected WAGO Couplers to firmware version 13 or later

CVEs (1)

CVE-2025-41664

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/16e35abd-9bbb-42f8-8472-5199e875cc92

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.