Wago Pfc200 G1 750-820X-Xxx-Xxx vulnerabilities

CVE-2025-25265 [MEDIUM] CWE-306 CVE-2025-25265: A web application for configuring the controller is accessible at a specific path. It contains an en A web application for configuring the controller is accessible at a specific path. It contains an endpoint that allows a high privileged remote attacker to read files from the system’s file structure.

CVE-2025-25264 [MEDIUM] CWE-942 CVE-2025-25264: An unauthenticated remote attacker can trick an admin to visit a website containing malicious java s An unauthenticated remote attacker can trick an admin to visit a website containing malicious java script code. The current overly permissive CORS policy allows the attacker to obtain any files from the file system.

CVE-2025-0101 [MEDIUM] CWE-190 CVE-2025-0101: A low privileged user can set the date of the devices to the 19th of January 2038 an therefore excee A low privileged user can set the date of the devices to the 19th of January 2038 an therefore exceed the 32-Bit time limit. This causes some functions to work unexpected or stop working at all. Both during runtime and after a restart.

CVE-2024-12650 [MEDIUM] CWE-252 CVE-2024-12650: An attacker with low privileges can manipulate the requested memory size, causing the application to An attacker with low privileges can manipulate the requested memory size, causing the application to use an invalid memory area. This could lead to a crash of the application but it does not affected other applications.

CVE-2024-41967 [HIGH] CWE-306 CVE-2024-41967: A low privileged remote attacker may modify the boot mode configuration setup of the device, leading A low privileged remote attacker may modify the boot mode configuration setup of the device, leading to modification of the firmware upgrade process or a denial-of-service attack.

CVE-2024-41969 [HIGH] CWE-306 CVE-2024-41969: A low privileged remote attacker may modify the configuration of the CODESYS V3 service through a mi A low privileged remote attacker may modify the configuration of the CODESYS V3 service through a missing authentication vulnerability which could lead to full system access and/or DoS.

CVE-2024-41968 [MEDIUM] CWE-306 CVE-2024-41968: A low privileged remote attacker may modify the docker settings setup of the device, leading to a li A low privileged remote attacker may modify the docker settings setup of the device, leading to a limited DoS.