WAGO: Multiple Vulnerabilities in CODESYS components

Plan PatchCVSS 7.5VDE-2025-062Nov 3, 2025

CODESYSWAGO

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple CODESYS component vulnerabilities (path traversal, information disclosure) affect WAGO industrial controllers including PFC100 (G1 and G2), PFC200 (G1 and G2), CC100, TP600 HMI panels, Basic Controller, and Edge Controller. Vulnerabilities reside in the CODESYS runtime, visualization system, and OPC UA server. An attacker can read sensitive data via network access without authentication. Older product lines (G1 and Basic Controller) have vendor patches available; newer product lines (G2, CC100, TP600 variants, Edge Controller) will not receive patches.

What this means

What could happen

An attacker could read sensitive data from WAGO industrial controllers (PLCs, HMIs, edge devices) running vulnerable CODESYS components via network access without authentication. Most affected products have no patch available and will remain vulnerable indefinitely.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using WAGO industrial controllers (PFC100/G1/G2, PFC200/G1/G2, CC100, TP600, Basic Controller, Edge Controller) as primary logic controllers, HMIs, or edge devices. Especially critical for organizations using these devices to manage process automation, safety logic, or remote monitoring where unauthorized data access could compromise operational integrity or expose sensitive control configurations.

How it could be exploited

An attacker sends crafted network requests to the CODESYS runtime, visualization, or OPC UA server components running on the WAGO device. The vulnerability allows path traversal and information disclosure without requiring credentials or user interaction, potentially exposing proprietary control logic, configuration data, or process parameters.

Prerequisites

Network access to the WAGO device on the port running CODESYS services (typically port 11740 for OPC UA or management interface)
No credentials required

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for majority of affected products (15 of 22 product variants)Affects safety-critical and process control devices

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (23)

3 with fix20 EOL

ProductAffected VersionsFix Status

PFC100 G1 0750-810x/xxxx-xxxx<03.10.1103.10.11

PFC200 G1 750-820x-xxx-xxx<03.10.1103.10.11

CC100 0751-9x01<04.08.01No fix (EOL)

CC100 0751-9x01<04.08.01 (70)No fix (EOL)

PFC100 G2 0750-811x-xxxx-xxxx<04.08.01No fix (EOL)

Remediation & Mitigation

Update to Firmware version 04.08.01 (FW30), 01.05.01 (FW05), 03.10.11 (FW22 Patch 2). For the latest Custom Firmware please contact the WAGO support.

CVEs (3)

CVE-2025-1468 CVE-2025-2595 CVE-2025-0694

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9442d097-4884-43e2-af58-4a5089a2a18a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.