Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-1698 — OS Command Injection in Compact Controller Cc100

CWE-78 — OS Command Injection5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

93.8%

top 0.15%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Wago Compact Controller Cc100 Wago Pfc100 Wago Pfc200 +11 more

Timeline

PublishedMay 15

Description

In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages14 packages

▶CVEListV5wago/pfc100FW20 — FW22+1

▶CVEListV5wago/pfc200FW20 — FW22+1

▶NVDwago/pfc100_firmware20 — 23

▶NVDwago/pfc200_firmware20 — 23

▶CVEListV5wago/compact_controller_cc100FW20 — FW22+1

🔴Vulnerability Details

CVEList

WAGO: WBM Command Injection in multiple products↗2023-05-15

▶

GHSA

GHSA-vf3g-hqqf-r379: In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which↗2023-05-15

▶

VulnCheck

wago compact_controller_100_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')↗2023

▶

💥Exploits & PoCs

Nuclei

WAGO - Remote Command Execution

▶