CVE-2022-45138

CWE-306 — Missing Authentication3 documents3 sources

Severity

9.8CRITICAL

EPSS

1.6%

top 18.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wago Compact Controller Cc100 (751-9301)Wago Edge Controller (752-8303/8000-002)Wago Pfc100 (750-81xx/xxx-xxx)+11 more

Timeline

PublishedFeb 27

Description

The configuration backend of the web-based management can be used by unauthenticated users, although only authenticated users should be able to use the API. The vulnerability allows an unauthenticated attacker to read and set several device parameters that can lead to full compromise of the device.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages14 packages

▶NVDwago/pfc100_firmware16 — 22+2

▶NVDwago/pfc200_firmware16 — 22+2

▶NVDwago/751-9301_firmware16 — 22+2

▶CVEListV5wago/pfc100_(750-81xx/xxx-xxx)FW16 — FW22+1

▶CVEListV5wago/pfc200_(750-82xx/xxx-xxx)FW16 — FW22+1

🔴Vulnerability Details

GHSA

GHSA-hq37-597p-8qrg: The configuration backend of the web-based management can be used by unauthenticated users, although only authenticated users should be able to use th↗2023-02-27

▶

CVEList

WAGO: Missing Authentication for Critical Function↗2023-02-27

▶