CVE-2023-1698
WAGO: WBM Command Injection in multiple products
In short
An attacker can remotely access WAGO devices without credentials and create new users or change critical settings, potentially taking complete control of the device or making it stop working.
Technical detail
A command injection vulnerability (CWE-78) in WAGO WBM allows unauthenticated remote attackers to execute arbitrary commands through unsanitized input, enabling unauthorized user creation, configuration modification, and complete system compromise. The vulnerability requires network access but no prior authentication, resulting in CVSS 9.8 severity with impacts including DoS and full device takeover.
Summary generated and translated by AI from the official description.
In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
WAGO · Compact Controller CC100WAGO · Edge ControllerWAGO · PFC100WAGO · PFC200WAGO · Touch Panel 600 Advanced LineWAGO · Touch Panel 600 Marine LineWAGO · Touch Panel 600 Standard Linepublic PoCs found — 5
githubgithub.com/Chocapikk/CVE-2023-1698★ 5githubgithub.com/X3RX3SSec/CVE-2023-1698★ 4githubgithub.com/ibrahmsql/CVE-2023-1698★ 3githubgithub.com/thedarknessdied/WAGO-CVE-2023-1698★ 2githubgithub.com/deIndra/CVE-2023-1698★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →