CVE-2022-45140

CWE-306 — Missing Authentication3 documents3 sources

Severity

9.8CRITICAL

EPSS

6.3%

top 9.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wago Compact Controller Cc100 (751-9301)Wago Edge Controller (752-8303/8000-002)Wago Pfc100 (750-81xx/xxx-xxx)+11 more

Timeline

PublishedFeb 27

Description

The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the storage, which could lead to unauthenticated remote code execution and full system compromise.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages14 packages

▶NVDwago/pfc100_firmware16 — 22+2

▶NVDwago/pfc200_firmware16 — 22+2

▶NVDwago/751-9301_firmware16 — 22+2

▶CVEListV5wago/pfc100_(750-81xx/xxx-xxx)FW16 — FW22+1

▶CVEListV5wago/pfc200_(750-82xx/xxx-xxx)FW16 — FW22+1

🔴Vulnerability Details

GHSA

GHSA-4p8v-g44f-p8hp: The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the storage, which could lead to unauthentica↗2023-02-27

▶

CVEList

WAGO: Missing Authentication for Critical Function↗2023-02-27

▶