CVE-2022-45138

Summary

The configuration backend of the web-based management can be used by unauthenticated users, although only authenticated users should be able to use the API. The vulnerability allows an unauthenticated attacker to read and set several device parameters that can lead to full compromise of the device.

Affected Software

VendorProductVersion RangeStatus
WAGOCompact Controller CC100 (751-9301)FW16 < FW22affected
WAGOCompact Controller CC100 (751-9301)FW22 Patch 1unaffected
WAGOCompact Controller CC100 (751-9301)FW23affected
WAGOEdge Controller (752-8303/8000-002)FW18 < FW22affected
WAGOEdge Controller (752-8303/8000-002)FW22 Patch 1unaffected
WAGOEdge Controller (752-8303/8000-002)FW23affected
WAGOPFC100 (750-81xx/xxx-xxx)FW16 < FW22affected
WAGOPFC100 (750-81xx/xxx-xxx)FW22 Patch 1unaffected
WAGOPFC100 (750-81xx/xxx-xxx)FW23affected
WAGOPFC200 (750-82xx/xxx-xxx)FW16 < FW22affected
WAGOPFC200 (750-82xx/xxx-xxx)FW22 Patch 1unaffected
WAGOPFC200 (750-82xx/xxx-xxx)FW23affected
WAGOTouch Panel 600 Advanced Line (762-5xxx)FW16 < FW22affected
WAGOTouch Panel 600 Advanced Line (762-5xxx)FW22 Patch 1unaffected
WAGOTouch Panel 600 Advanced Line (762-5xxx)FW23affected
WAGOTouch Panel 600 Marine Line (762-6xxx)FW16 < FW22affected
WAGOTouch Panel 600 Marine Line (762-6xxx)FW22 Patch 1unaffected
WAGOTouch Panel 600 Marine Line (762-6xxx)FW23affected
WAGOTouch Panel 600 Standard Line (762-4xxx)FW16 < FW22affected
WAGOTouch Panel 600 Standard Line (762-4xxx)FW22 Patch 1unaffected
WAGOTouch Panel 600 Standard Line (762-4xxx)FW23affected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References