Arbitrary Command Execution Vulnerability in WAGO PLC OpenVPN Configuration
CVE-2024-1490

7.2HIGH

Key Information:

Vendor: Wago
Status: Cc100 (0751-9x01); Pfc100 G1 (0750-810-xxxx-xxxx); Pfc100 G2 (0750-811x-xxxx-xxxx); Pfc200 G1 (750-820x-xxxx-xxxx)
Vendor: CVE Published:; 9 April 2026

What is CVE-2024-1490?

The vulnerability allows an authenticated remote attacker with high privileges to exploit the OpenVPN configuration through the web-based management interface of a WAGO PLC. If user-defined scripts are enabled, it opens the door for executing arbitrary shell commands on the device, posing significant security risks to the integrity and availability of the system.

Affected Version(s)

CC100 (0751-9x01) 0.0.0 <= 4.5.10

Edge Controller (0752-8303-8000-0002) 0.0.0 <= 4.5.10

PFC100 G1 (0750-810-xxxx-xxxx) 0.0.0 <= 3.10.10

References

https://certvde.com/de/advisories/VDE-2024-008

https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2...

vendor-advisory

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Feb 14, 2024

Credit

Jeroen Wijenbergh, Floris Hendriks from Radboud University

CVE-2024-1490 Data

JSON

Wago

What is CVE-2024-1490?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit