Hardcoded Private Keys in WAGO 852-303, 852-1305, and 852-1505 Devices
CVE-2019-12549

9.8CRITICAL

Key Information:

Vendor
Wago
Status
852-303 Firmware
Vendor
CVE Published:
17 June 2019

Summary

The WAGO 852-303, 852-1305, and 852-1505 devices have a security issue where hardcoded private keys are utilized by the SSH daemon. This vulnerability allows an adversary to compromise the security of these devices, as the SSH host key fingerprint directly matches the embedded private key. Such exposure could lead to unauthorized access and control over critical systems, making it crucial for users to apply recommended firmware updates.

References

https://www.wago.com/us/
x_refsource_MISC
https://ics-cert.us-cert.gov/advisories/ICSA-19-164-02
x_refsource_MISC
https://cert.vde.com/en-us/advisories/vde-2019-013
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2019-12549 : Hardcoded Private Keys in WAGO 852-303, 852-1305, and 852-1505 Devices | SecurityVulnerability.io