CVE-2021-34578

Summary

This vulnerability allows an attacker who has access to the WBM to read and write settings-parameters of the device by sending specifically constructed requests without authentication on multiple WAGO PLCs in firmware versions up to FW07.

Affected Software

VendorProductVersion RangeStatus
WAGOPLC750-362 <= FW07affected
WAGOPLC750-363 <= FW07affected
WAGOPLC750-823 <= FW07affected
WAGOPLC750-832/xxx-xxx <= FW07affected
WAGOPLC750-862 <= FW07affected
WAGOPLC750-891 <= FW07affected
WAGOPLC750-890/xxx-xxx <= FW07affected
WAGOPLC750-893 <= FW07affected

Weaknesses

  • CWE-287: CWE-287 Improper Authentication

Workarounds

Restrict network access to the device. Do not directly connect the device to the internet. Disable unused TCP/UDP ports. Disable web-based management ports 80/443 after the configuration phase

ADP Enrichment

CVE Program Container

Additional References

References