CVE-2019-5171OS Command Injection in Pfc200

CWE-78OS Command Injection3 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.3%
top 49.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Wago Pfc200Wago Pfc200 Firmware
Timeline
PublishedMar 12
Latest updateMay 24

Description

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send specially crafted packet at 0x1ea48 to the extracted hostname value from the xml file that is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=enabled ip-address= using sprintf().

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDwago/pfc200_firmware03.02.02\(14\)
CVEListV5wago/wago_pfc200Firmware version 03.02.02(14)

🔴Vulnerability Details

2
GHSA
GHSA-hvfr-v2x6-hcr4: An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 032022-05-24
CVEList
CVE-2019-5171: An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 032020-03-11
CVE-2019-5171 — OS Command Injection in Wago Pfc200 | cvebase