#VU26258 Insufficient verification of data authenticity in Wago PFC200 Controller
Vulnerability identifier: #VU26258
Vulnerability risk: Medium
CVSSv3.1: 6.6 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-345
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Wago PFC200 Controller
Hardware solutions /
Firmware
Vendor: WAGO
Description
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists within the Cloud Connectivity functionality due to the affected software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. A remote administrator can use a specially crafted XML file and execute a shell script with root privileges.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
Wago PFC200 Controller: 03.00.39(12) - 03.02.02(14)
External links
http://talosintelligence.com/vulnerability_reports/TALOS-2019-0954
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
