VYPR
← All advisories
Unrated severityNVD Advisory· Published May 15, 2023· Updated Jan 23, 2025

WAGO: WBM Command Injection in multiple products

CVE-2023-1698

Description

In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated remote attacker can execute arbitrary commands on WAGO PFC devices via the web-based management interface, leading to full system compromise.

Vulnerability

The vulnerability resides in the 'legal information' plugin of the web-based management interface on WAGO PFC100 and PFC200 devices. The plugin is vulnerable to command injection. Affected versions include: PFC100/200 with firmware FW22 before SP1, and PFC200 750-821x/xxx-xxx with firmware FW23 (PFC100 with FW23 is not affected). [1]

Exploitation

An unauthenticated attacker can exploit the vulnerability remotely by sending crafted HTTP requests to the affected plugin. No authentication or prior access is required. [1]

Impact

Successful exploitation allows arbitrary command execution with the privileges of the 'www' user, enabling the attacker to modify device configuration, create new users, cause denial of service, or gain full system compromise. [1]

Mitigation

WAGO has released firmware updates: FW22 SP1 and a fixed FW23 version. Users should update affected devices to these patched versions. No workarounds are provided in the advisory. [1]

References
  1. WAGO: Unauthenticated command execution via Web-based-management UPDATE A

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

7
  • WAGO/Compact Controller CC100v5
    Range: FW20
  • WAGO/Edge Controllerv5
    Range: FW22
  • WAGO/PFC100v5
    Range: FW20
  • Wago/PFC200cpe-rescue
    Range: FW20
  • WAGO/Touch Panel 600 Advanced Linev5
    Range: FW22
  • WAGO/Touch Panel 600 Marine Linev5
    Range: FW22
  • WAGO/Touch Panel 600 Standard Linev5
    Range: FW22

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

1