CVE-2024-1490 — Code Injection in Cc100

CWE-94 — Code Injection3 documents3 sources

Severity

7.2HIGHNVD

EPSS

0.1%

top 73.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wago Cc100 Wago Edge Controller Wago Pfc100 G1 +5 more

Timeline

PublishedApr 9

Description

An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on the device.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages8 packages

▶CVEListV5wago/cc1000.0.0 — 4.5.10

▶CVEListV5wago/tp6000.0.0 — FW 26+2

▶CVEListV5wago/wp4000.0.0 — 4.5.10

▶CVEListV5wago/pfc100_g10.0.0 — 3.10.10

▶CVEListV5wago/pfc100_g20.0.0 — 4.5.10

🔴Vulnerability Details

GHSA

GHSA-4p2f-67g5-7xhf: An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC↗2026-04-09

▶

CVEList

Wago: Vulnerability in WBM through Open VPN↗2026-04-09

▶