WAGO: Critical sudo Vulnerability in Multiple Products

Act Now7.8VDE-2025-082Sep 8, 2025

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the sudo utility on WAGO PLC and HMI controllers allows a low-privileged local user to execute commands with root privileges. The vulnerability affects firmware versions 04.05.10 (FW27) through 04.08.00 (FW29) across the CC100, PFC100 G2, PFC200 G2, PFC300, TP600, WP400, and Edge Controller product families.

What this means

What could happen

An attacker with local access to a WAGO controller could escalate privileges to root level and run arbitrary commands, allowing them to modify process logic, alter setpoints, or halt operations on critical infrastructure devices.

Who's at risk

Water utilities and industrial facilities using WAGO automation controllers including the CC100, PFC (100/200/300), TP600, WP400, and Edge Controller product lines. These devices are commonly used in pump stations, treatment processes, and other critical operations.

How it could be exploited

An attacker with a low-privileged account on the device exploits a flaw in the sudo command to execute commands as the root user. This requires local shell access to the device but no special privileges or complex steps to trigger the vulnerability.

Prerequisites

Local shell access to the device with a low-privileged user account
sudo installed and configured on the device (standard on affected WAGO products)

Low complexity local privilege escalationNo authentication required beyond basic user account accessAffects multiple critical infrastructure device types

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (12)

12 with fix

ProductAffected VersionsFix Status

CC100 0751-9x0104.05.10 (FW27)<04.08.01 (FW30)04.08.01

PFC100 G2 0750-811x-xxxx-xxxx04.05.10 (FW27)<04.08.01 (FW30)04.08.01

PFC200 G2 750-821x-xxx-xxx04.05.10 (FW27)<04.08.01 (FW30)04.08.01

PFC300 0750-830204.05.10 (FW27)<04.08.01 (FW30)04.08.01

TP600 0762-420x/8000-000x04.05.10 (FW27)<04.08.01 (FW30)04.08.01

TP600 0762-430x/8000-000x04.05.10 (FW27)<04.08.01 (FW30)04.08.01

TP600 0762-520x/8000-000x04.05.10 (FW27)<04.08.01 (FW30)04.08.01

TP600 0762-530x/8000-000x04.05.10 (FW27)<04.08.01 (FW30)04.08.01

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDIf firmware update is not immediately available, install the interim sudo 1.9.17p1 update from WAGO download center

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to version 04.08.01 (FW30) or later on all affected WAGO controllers

Long-term hardening

0/1

HARDENINGRestrict local shell access to WAGO controllers to authorized personnel only and disable unnecessary remote login services

CVEs (1)

CVE-2025-32463

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/56f38a4a-92aa-400a-a1f9-17af4090bba6