CVE-2021-20998

Summary

In multiple managed switches by WAGO in different versions without authorization and with specially crafted packets it is possible to create users.

Affected Software

VendorProductVersion RangeStatus
WAGO0852-0303unspecified <= V1.2.3.S0affected
WAGO0852-1305unspecified <= V1.1.7.S0affected
WAGO0852-1505unspecified <= V1.1.6.S0affected
WAGO0852-1305/000-001unspecified <= V1.0.4.S0affected
WAGO0852-1505/000-001unspecified <= V1.0.4.S0affected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

Workarounds

Disable the web server of the device. Use the CLI interface of the device. Update to the latest firmware. Restrict network access to the device. Do not directly connect the device to the internet.

ADP Enrichment

CVE Program Container

Additional References

References