Improper Authentication in WAGO PFC200 Series CoDeSys Runtime
CVE-2018-5459

9.8CRITICAL

Key Information:

Vendor
Wago
Status
Wago Pfc200 Series
Vendor
CVE Published:
13 February 2018

Summary

The WAGO PFC200 Series CoDeSys Runtime versions 2.3.X and 2.4.X has a vulnerability that allows an attacker to perform unauthorized remote operations. The issue arises from improper authentication, which exposes the CoDeSys Runtime application, accessible through network port 2455 by default. Attackers can exploit this flaw to execute various unauthenticated commands, including reading, writing, or deleting files, as well as manipulating the PLC application during runtime by sending specially crafted TCP packets.

Affected Version(s)

WAGO PFC200 Series WAGO PFC200 Series

References

https://ics-cert.us-cert.gov/advisories/ICSA-18-044-01
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-5459 : Improper Authentication in WAGO PFC200 Series CoDeSys Runtime | SecurityVulnerability.io