Insufficient verification of data authenticity in Wago PFC200 Controller - CVE-2019-5161
Published: March 20, 2020
Vulnerability identifier: #VU26258
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-5161
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: WAGO
Affected software:
Wago PFC200 Controller
Wago PFC200 Controller
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists within the Cloud Connectivity functionality due to the affected software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. A remote administrator can use a specially crafted XML file and execute a shell script with root privileges.
How to mitigate CVE-2019-5161
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.