CVE-2019-5168

Vulnerability

A command injection vulnerability exists in the iocheckd service's "I/O-Check" function of the WAGO PFC 200 controller running firmware version 03.02.02(14). The service parses an XML cache file stored at /tmp/iocheckCache.xml, which is globally writable. During parsing, the domainname value extracted from the XML is passed unsanitized via sprintf() to /etc/config-tools/edit_dns_server domain-name=, which is then executed by system(). This allows an attacker to inject arbitrary OS commands by embedding them in the domainname node of the XML file [1].

Exploitation

An attacker must have local access to the device (any user account with write permissions to /tmp). The attacker writes a malicious XML file to /tmp/iocheckCache.xml containing a crafted domainname value with command injection payloads. The vulnerability is triggered by sending a BC_SaveParameter message to the iocheckd service, which causes the cache file to be parsed and the injected commands to be executed [1]. No additional authentication or user interaction is required beyond the initial write access.

Impact

Successful exploitation results in arbitrary OS command execution with root privileges. The attacker gains full control over the WAGO PFC 200 controller, enabling data exfiltration, installation of persistent backdoors, or disruption of industrial processes. The impact is severe due to the critical role of these controllers in automation environments [1].

Mitigation

No official fix or workaround has been disclosed in the available reference. Users should monitor vendor advisories from WAGO for firmware updates addressing this vulnerability. As of the publication date, no patched version is mentioned [1].