WAGO: Missing Authentication for Critical Function
CVE-2022-45138

9.8CRITICAL

Key Information:

Vendor
Wago
Status
Compact Controller Cc100 (751-9301)
Edge Controller (752-8303/8000-002)
Pfc100 (750-81xx/xxx-xxx)
Pfc200 (750-82xx/xxx-xxx)
Vendor
CVE Published:
27 February 2023

Summary

A security vulnerability exists in the web-based management interface that incorrectly allows unauthenticated users to access sensitive configurations. This flaw enables attackers to read and modify critical device parameters without authentication, posing significant risks of full device compromise. Organizations relying on the affected products should take immediate steps to secure their environments and ensure proper authentication mechanisms are enforced.

Affected Version(s)

Compact Controller CC100 (751-9301) FW16

Compact Controller CC100 (751-9301) FW23

Edge Controller (752-8303/8000-002) FW18

References

https://cert.vde.com/en/advisories/VDE-2022-060/

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ryan Pickren of Georgia Institute of Technologys Cyber-Physical Security Lab
.
CVE-2022-45138 : WAGO: Missing Authentication for Critical Function | SecurityVulnerability.io