CVE-2022-45138
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The configuration backend of the web-based management can be used by unauthenticated users, although only authenticated users should be able to use the API. The vulnerability allows an unauthenticated attacker to read and set several device parameters that can lead to full compromise of the device.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WAGO | Compact Controller CC100 (751-9301) | FW16 < FW22 | affected |
| WAGO | Compact Controller CC100 (751-9301) | FW22 Patch 1 | unaffected |
| WAGO | Compact Controller CC100 (751-9301) | FW23 | affected |
| WAGO | Edge Controller (752-8303/8000-002) | FW18 < FW22 | affected |
| WAGO | Edge Controller (752-8303/8000-002) | FW22 Patch 1 | unaffected |
| WAGO | Edge Controller (752-8303/8000-002) | FW23 | affected |
| WAGO | PFC100 (750-81xx/xxx-xxx) | FW16 < FW22 | affected |
| WAGO | PFC100 (750-81xx/xxx-xxx) | FW22 Patch 1 | unaffected |
| WAGO | PFC100 (750-81xx/xxx-xxx) | FW23 | affected |
| WAGO | PFC200 (750-82xx/xxx-xxx) | FW16 < FW22 | affected |
| WAGO | PFC200 (750-82xx/xxx-xxx) | FW22 Patch 1 | unaffected |
| WAGO | PFC200 (750-82xx/xxx-xxx) | FW23 | affected |
| WAGO | Touch Panel 600 Advanced Line (762-5xxx) | FW16 < FW22 | affected |
| WAGO | Touch Panel 600 Advanced Line (762-5xxx) | FW22 Patch 1 | unaffected |
| WAGO | Touch Panel 600 Advanced Line (762-5xxx) | FW23 | affected |
| WAGO | Touch Panel 600 Marine Line (762-6xxx) | FW16 < FW22 | affected |
| WAGO | Touch Panel 600 Marine Line (762-6xxx) | FW22 Patch 1 | unaffected |
| WAGO | Touch Panel 600 Marine Line (762-6xxx) | FW23 | affected |
| WAGO | Touch Panel 600 Standard Line (762-4xxx) | FW16 < FW22 | affected |
| WAGO | Touch Panel 600 Standard Line (762-4xxx) | FW22 Patch 1 | unaffected |
| WAGO | Touch Panel 600 Standard Line (762-4xxx) | FW23 | affected |
Weaknesses
- CWE-306: CWE-306 Missing Authentication for Critical Function
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.