Improper Input Validation in WAGO e!COCKPIT Automation Software
CVE-2019-5159

7.8HIGH

Key Information:

Vendor: Wago
Status: Wago E!cockpit
Vendor: CVE Published:; 11 March 2020

Summary

An exploitable improper input validation vulnerability exists in the firmware update functionality of WAGO e!COCKPIT automation software version 1.6.0.7. This vulnerability allows an attacker to leverage a specially crafted firmware update file to write arbitrary files to arbitrary locations on WAGO controllers during the update process. This could potentially lead to code execution if an attacker creates a malicious firmware update package and the user unwittingly selects this package when initiating a firmware update through the e!COCKPIT interface.

Affected Version(s)

WAGO e!COCKPIT 1.6.0.7

References

https://talosintelligence.com/vulnerability_reports/TALOS...

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 11, 2020
Vulnerability Reserved
Jan 4, 2019