The Wago PLC 750-8216/025-001 is a programmable logic controller (PLC) widely used in industrial automation. Like many PLCs, it plays a critical role in controlling equipment, industrial processes and other essential functions within automated systems. These devices are integral to the operation of power plants, manufacturing lines and various industrial facilities, making them a key component of operational technology (OT) infrastructures. However, the increasing integration of such systems with modern IT networks has exposed them to potential cyber threats.
Nozomi Networks Labs responsibly reported multiple security vulnerabilities discovered in the Wago PLC 750-8216/025-001 that, once chained together, allow a low privileged user with access to the PLC web interface to escalate their privileges and gain full control of the device.
Wago reviewed these vulnerabilities and confirmed that they impacted several of their devices. A new firmware has been released for each vulnerable device to resolve these security issues, preventing authenticated users from exploiting the vulnerabilities to escalate their privileges on the system and cause forbidden actions.
Vulnerability List
The following table lists all vulnerabilities found in Wago PLC device model 750-8216/025-001 on firmware version 04.04.03(26) but multiple Wago devices were affected as specified inside the official security advisory published by the vendor. The ordering has been determined by CVSS v3.1 base score. Please carefully review the specific affected functionalities outlined below the table to more accurately assess the potential impact on Wago affected devices.
CODESYS and the Wago PLC: A Critical Foundation
One of the key software components running on the Wago PLC 750-8216/025-001 is CODESYS, a popular programming environment for developing automation applications on PLCs. CODESYS provides an integrated development platform that allows engineers to create, configure and deploy control logic on industrial devices. The Wago device leverages this platform, allowing engineers to interface with the PLC for configuration and operational purposes.
While CODESYS brings powerful functionality, it may also introduce potential attack vectors. As we’ll see in this blog post, some of the vulnerabilities found by Nozomi Networks Labs on the Wago PLC are directly linked to its CODESYS integration. These vulnerabilities, when exploited in a chain, allow an authenticated user to escalate their privileges and gain full control over the device, posing serious security risks.
Web Interface Security Evaluation: Broken Access Control
An important aspect of the Wago PLC's vulnerabilities lies in its web-based interface, which is commonly used for configuration and management purposes. The access to this service is managed through three tiers of privileges: root, admin, and user. The user level is the least privileged and is restricted from making significant changes to the system.
During a security evaluation of the web interface, we identified several broken access control vulnerabilities that allow an unauthorized user to access functionality or data that they should not have permission to view or modify.
As an example, the most impactful broken access control vulnerability (CVE-2024-41969 with a CVSS score of High - 7.1) discovered in this analysis was the ability for a low-privileged user-level actor to disable authentication for the CODESYS client software through the web interface. Leveraging this condition, an attacker can bypass the usual authentication mechanisms and gain unauthorized access to the device via the CODESYS client. Once authentication is disabled, any user can connect to the device and perform actions without requiring valid credentials, exposing the device to further attacks.
Three additional, less severe vulnerabilities were found, labeled as CVE-2024-41967 (with a score of 5.4), CVE-2024-41968 (scored 5.4), and CVE-2024-41969 (scored 7.1). These vulnerabilities allow unauthorized changes to certain restricted system settings and provide access to diagnostic data without proper authorization.
Engineering Application Analysis: Path Traversal and Code Execution
In addition to the vulnerabilities found in the web interface, our analysis of the engineering application running on the Wago PLC revealed that this functionality is affected by several path traversal vulnerabilities that allow an attacker authenticated on CODESYS to manipulate file paths and access restricted data on the file system. Specifically, the following CVEs have been reserved:
- CVE-2024-41971 (6.5): This vulnerability allows for arbitrary file deletion, enabling an attacker to remove files from the system without authorization. This could potentially lead to system instability, loss of critical data or the disruption of essential processes, depending on the files targeted for deletion.
- CVE-2024-41972 (4.9): The vulnerability permits arbitrary file reading, allowing an attacker to access and view files on the system without proper authorization. This could expose sensitive information, such as configuration files, credentials or operational data, potentially leading to further exploitation or compromising the security of the system.
- CVE-2024-41973 (6.5): The vulnerability allows for arbitrary file copying, enabling an attacker to move files inside the system without proper authorization on arbitrary paths.
By chaining CVE-2024-41971 and CVE-2024-41973, these path traversal issues can be exploited by an authenticated attacker to upload malicious files on the PLC device overwriting system resources, which leads to arbitrary code execution. Thanks to this vulnerability, an attacker can run their own code on the device with highest privileges (root user), effectively taking full control of the system and its processes. Given the device’s role in industrial operations, this type of attack could have severe operational consequences, potentially leading to system shutdowns, production halts or even damage to physical infrastructure.
Chaining the Vulnerabilities: Full Device Control
The most concerning aspect of these vulnerabilities is their ability to be chained together. A low-privileged user-level attacker could first exploit the broken access control on the web interface to disable the authentication requirements for the CODESYS client (CVE ID CVE-2024-41969). Once this security measure is bypassed, the attacker can then utilize the path traversal vulnerabilities in the engineering application to upload and execute arbitrary code on the device (CVE-2024-41971 and CVE-2024-41973).
By combining these vulnerabilities, a threat actor can escalate their privileges and gain full administrative control over the Wago PLC. This level of control would allow the attacker to manipulate industrial processes, alter system configurations, and potentially disrupt or damage the entire facility's operation.
Remediation
Wago confirmed these vulnerabilities being impactful for several of their devices and an official security advisory has been released notifying customers to upgrade affected firmware to the latest release since version 28 and above solves these security issues.
Conclusion: The Impact on Industrial Facilities
The discovery of these vulnerabilities in the Wago PLC 750-8216/025-001 highlights the critical need for improved cybersecurity measures in industrial automation systems. With the ability to chain multiple vulnerabilities and escalate privileges, attackers can gain full control of the device, posing a significant threat to operational continuity and safety in industrial environments. If such vulnerabilities are exploited, it could result in serious consequences, including operational downtime, equipment damage, and even safety risks to personnel.
Industrial facilities must prioritize the security of their PLCs and other OT devices, applying patches and updates promptly, implementing strong authentication mechanisms, and conducting regular security assessments to identify and mitigate potential risks. As the convergence of IT and OT continues, safeguarding these systems is essential to maintaining the resilience and integrity of industrial operations.
