CVE-2021-34578
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
This vulnerability allows an attacker who has access to the WBM to read and write settings-parameters of the device by sending specifically constructed requests without authentication on multiple WAGO PLCs in firmware versions up to FW07.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WAGO | PLC | 750-362 <= FW07 | affected |
| WAGO | PLC | 750-363 <= FW07 | affected |
| WAGO | PLC | 750-823 <= FW07 | affected |
| WAGO | PLC | 750-832/xxx-xxx <= FW07 | affected |
| WAGO | PLC | 750-862 <= FW07 | affected |
| WAGO | PLC | 750-891 <= FW07 | affected |
| WAGO | PLC | 750-890/xxx-xxx <= FW07 | affected |
| WAGO | PLC | 750-893 <= FW07 | affected |
Weaknesses
- CWE-287: CWE-287 Improper Authentication
Workarounds
Restrict network access to the device. Do not directly connect the device to the internet. Disable unused TCP/UDP ports. Disable web-based management ports 80/443 after the configuration phase
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.