WAGO: Critical sudo Vulnerability in Multiple Products

Act NowCVSS 7.8VDE-2025-082Sep 8, 2025

WAGO

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A privilege escalation vulnerability in sudo on WAGO controllers and HMIs allows a low-privileged user to execute commands with root privileges. The vulnerability affects CC100, PFC100 G2, PFC200 G2, PFC300, TP600, WP400, and Edge Controller devices running firmware versions 04.05.10 (FW27) through 04.08.00 (FW29). Affected devices are vulnerable to local privilege escalation by any user with a valid account on the device.

What this means

What could happen

An attacker with a low-privilege account on a WAGO controller or HMI could escalate to root privileges and execute arbitrary commands, allowing them to modify process parameters, stop industrial operations, or alter safety-critical logic.

Who's at risk

Water utilities, municipalities, and industrial operators using WAGO programmable controllers (CC100, PFC100/200/300 series), TP600 touchpanel HMIs, WP400 wireless panels, and Edge Controllers for process automation, water treatment, distribution, or power systems should immediately patch or update these devices.

How it could be exploited

An attacker with a valid low-privilege user account on the device (such as a maintenance technician or engineer account) can exploit the sudo vulnerability to escalate privileges to root without requiring a password or additional authentication. Once at root level, the attacker can run any command on the controller, including rewriting firmware, changing setpoints, or disabling safety interlocks.

Prerequisites

Valid low-privilege user account on the affected device (local or via remote access)
Access to a shell or command execution interface on the device

actively exploited (KEV)high EPSS score (38.5%)affects industrial control deviceslow authentication required (low-privilege account)privilege escalation to rootaffects safety-relevant systems

Exploitability

Actively exploited — confirmed by CISA KEV

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (12)

12 with fix

ProductAffected VersionsFix Status

CC100 0751-9x0104.05.10 (FW27)<04.08.01 (FW30)04.08.01

PFC100 G2 0750-811x-xxxx-xxxx04.05.10 (FW27)<04.08.01 (FW30)04.08.01

PFC200 G2 750-821x-xxx-xxx04.05.10 (FW27)<04.08.01 (FW30)04.08.01

PFC300 0750-830204.05.10 (FW27)<04.08.01 (FW30)04.08.01

TP600 0762-420x/8000-000x04.05.10 (FW27)<04.08.01 (FW30)04.08.01

TP600 0762-430x/8000-000x04.05.10 (FW27)<04.08.01 (FW30)04.08.01

TP600 0762-520x/8000-000x04.05.10 (FW27)<04.08.01 (FW30)04.08.01

TP600 0762-530x/8000-000x04.05.10 (FW27)<04.08.01 (FW30)04.08.01

Remediation & Mitigation

0/5

Do now

0/2

HOTFIXUpdate firmware to version 04.08.01 (FW30) or higher on all affected CC100, PFC100/200/300, TP600, WP400, and Edge Controller devices

HOTFIXIf firmware version 04.08.01 is not yet available, apply the interim sudo 1.9.17p1 update package (ipk) from the WAGO download center immediately

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGRestrict user account creation on WAGO devices to only essential personnel with clear business justification

HARDENINGReview and revoke any unnecessary local user accounts on WAGO controllers and HMIs

Long-term hardening

0/1

HARDENINGImplement network-level access controls to limit shell or remote command access to WAGO devices to authorized engineering networks only

CVEs (1)

CVE-2025-32463

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/56f38a4a-92aa-400a-a1f9-17af4090bba6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.