A vulnerability in the web-based management allows an unauthenticated remote attacker to inject arbitrary system commands and gain full system control. Those commands are executed with root privileges. The vulnerability is located in the user request handling of the web-based management.
The vulnerability is located in the user request handling module in the web management interface. The attacker sends a specially crafted HTTP request to the WWW panel without requiring authentication. Unvalidated input data is passed directly to system calls (CWE-78), allowing injection and execution of arbitrary shell commands with root privileges.
The attacker gains full control over the device's operating system with root privileges — they can read and modify data, install malicious software, disrupt device operation, or use it as an entry point for further compromise of the industrial network.
Patches available from the manufacturer should be applied in accordance with the references (https://cert.vde.com/en/advisories/VDE-2023-037). Until the fix is deployed, it is recommended to isolate the WWW management interface from untrusted networks and restrict access to the administration panel exclusively to trusted IP addresses.
WAGO devices: 0852-0602 (firmware), 0852-0603 (firmware), 0852-1605 (firmware) — specific firmware versions indicated in the manufacturer's references (cert.vde.com VDE-2023-037)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWago 0852 0602
HWWagowszystkie wersjeWago 0852 0602 Firmware
OSWago< 1.0.6.s0Wago 0852 0603
HWWagowszystkie wersjeWago 0852 0603 Firmware
OSWago< 1.0.6.s0Wago 0852 1605
HWWagowszystkie wersjeWago 0852 1605 Firmware
OSWago< 1.2.5.s0
Related vulnerabilities
Stack buffer overflow w urządzeniach WAGO 0852 — pełne przejęcie urządzenia
Stack buffer overflow w urządzeniach Wago 0852 – pełne przejęcie urządzenia
In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users an...
The configuration backend of the web-based management can be used by unauthenticated users, although only auth...
The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the s...