CWE
78
Advisory Published
Updated

CVE-2020-12522: Command Injection Vulnerability in I/O-Check Service of WAGO PFC100, PFC200 and Touch Panel 600 Series with firmware versions <=FW10

First published: Thu Dec 17 2020(Updated: )

The reported vulnerability allows an attacker who has network access to the device to execute code with specially crafted packets in WAGO Series PFC 100 (750-81xx/xxx-xxx), Series PFC 200 (750-82xx/xxx-xxx), Series Wago Touch Panel 600 Standard Line (762-4xxx), Series Wago Touch Panel 600 Advanced Line (762-5xxx), Series Wago Touch Panel 600 Marine Line (762-6xxx) with firmware versions <=FW10.

Credit: info@cert.vde.com

Affected SoftwareAffected VersionHow to fix
WAGO PFC 100 Firmware<=10
Wago 750-8101\/025-000
Wago 750-8102\/025-000
WAGO PFC 200 Firmware<=10
Wago 750-8202\/000-012
Wago 750-8202\/000-022
Wago 750-8202\/040-000
Wago 750-8202\/040-001
Wago 750-8206\/025-000
Wago 750-8206\/025-001
Wago 750-8206\/040-000
Wago 750-8206\/040-001
Wago 750-8207\/025-000
Wago 750-8207\/025-001
Wago 750-8208\/025-000
Wago 750-8208\/025-001
Wago 750-8210\/025-000
Wago 750-8210\/040-000
Wago 750-8211\/040-000
Wago 750-8211\/040-001
Wago 750-8212\/025-000
Wago 750-8212\/025-001
Wago 750-8212\/025-002
Wago 750-8212\/040-000
Wago 750-8212\/040-010
Wago 750-8213\/040-010
Wago 750-8216\/025-000
Wago 750-8216\/025-001
Wago 750-8217\/025-000
Wago Touch Panel 600 Standard Firmware<=10
Wago 762-4301\/8000-002
Wago 762-4302\/8000-002
Wago 762-4303\/8000-002
Wago 762-4304\/8000-002
Wago Touch Panel 600 Advanced Firmware<=10
Wago 762-5303\/8000-002
Wago 762-5304\/8000-002
Wago Touch Panel 600 Marine Firmware<=10
Wago 762-6201\/8000-001
Wago 762-6202\/8000-001
Wago 762-6203\/8000-001
Wago 762-6204\/8000-001

Remedy

The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities. Regardless to the action described above, the vulnerability has been fixed in FW11, released in December 2017.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2020-12522?

    CVE-2020-12522 is a reported vulnerability that allows an attacker with network access to execute code with specially crafted packets in WAGO Series PFC 100, PFC 200, Wago Touch Panel 600 Standard Line, and Wago Touch Panel 600 Advanced Line.

  • How severe is the vulnerability CVE-2020-12522?

    The severity of CVE-2020-12522 is critical, with a severity value of 9.8.

  • Which software versions are affected by CVE-2020-12522?

    CVE-2020-12522 affects WAGO PFC 100 Firmware versions up to and including 10, as well as WAGO PFC 200 Firmware versions up to and including 10, Wago Touch Panel 600 Standard Firmware versions up to and including 10, and Wago Touch Panel 600 Advanced Firmware versions up to and including 10.

  • How can the vulnerability CVE-2020-12522 be exploited?

    CVE-2020-12522 can be exploited by an attacker with network access who sends specially crafted packets to the vulnerable device, allowing them to execute arbitrary code.

  • Is there a fix available for CVE-2020-12522?

    At the time of writing, there is no information available about a specific fix for CVE-2020-12522. It is recommended to follow the guidance provided by the vendor and apply any patches or updates as soon as they become available.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203