CVE-2015-6472 – This vulnerability in WAGO IO PLC devices invol... (How to Fix)

Q: What is the severity of CVE-2015-6472?

CVE-2015-6472 has a CVSS score of 9.8 (CRITICAL). This vulnerability in WAGO IO PLC devices involves weak credential management and privilege separation issues, allowing attackers to bypass authentication mechanisms. Affected systems include WAGO IO 750-849, 750-881, and 758-870 PLCs running specific firmware versions. This enables unauthorized access to industrial control systems.

📋 TL;DR

This vulnerability in WAGO IO PLC devices involves weak credential management and privilege separation issues, allowing attackers to bypass authentication mechanisms. Affected systems include WAGO IO 750-849, 750-881, and 758-870 PLCs running specific firmware versions. This enables unauthorized access to industrial control systems.

💻 Affected Systems

Products:

WAGO IO 750-849
WAGO IO 750-881
WAGO IO 758-870

Versions: 01.01.27 and 01.02.05 for 750-849; unspecified versions for 750-881 and 758-870

Operating Systems: Embedded PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects specific firmware versions of industrial programmable logic controllers used in automation systems.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems leading to physical damage, production shutdown, or safety incidents through unauthorized PLC programming and control.

🟠

Likely Case

Unauthorized access to PLC configuration and logic, enabling manipulation of industrial processes, data theft, or denial of service.

🟢

If Mitigated

Limited impact if devices are isolated in segmented networks with strong access controls and monitoring.

🌐 Internet-Facing: HIGH - Direct internet exposure makes exploitation trivial given the high CVSS score and authentication bypass nature.

🏢 Internal Only: HIGH - Even internally, weak credential management allows lateral movement and privilege escalation within industrial networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in security advisories; authentication bypass makes exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check WAGO for updated firmware versions

Vendor Advisory: https://www.wago.com/global/industrial-automation/catalog/security-advisories

Restart Required: Yes

Instructions:

1. Contact WAGO support for latest firmware updates. 2. Backup PLC configuration. 3. Apply firmware update via programming software. 4. Restart PLC. 5. Verify functionality.

🔧 Temporary Workarounds

Network segmentation

all

Isolate PLCs in dedicated industrial network segments with strict firewall rules

Access control hardening

all

Implement strong authentication mechanisms and restrict network access to authorized IPs only

🧯 If You Can't Patch

Implement network segmentation with industrial DMZ and strict firewall rules blocking all unnecessary ports
Deploy intrusion detection systems monitoring for unauthorized PLC access attempts and configuration changes

🔍 How to Verify

Check if Vulnerable:

Check firmware version via WAGO programming software or web interface; compare against affected versions

Check Version:

Use WAGO e!COCKPIT or web interface to check firmware version

Verify Fix Applied:

Verify firmware version is updated beyond affected versions and test authentication mechanisms

📡 Detection & Monitoring

Log Indicators:

Unauthorized authentication attempts
PLC configuration changes from unexpected sources
Failed login attempts followed by successful access

Network Indicators:

Unexpected connections to PLC programming ports (TCP 1962, 2455)
Traffic patterns indicating PLC reprogramming

SIEM Query:

source_ip=* AND (dest_port=1962 OR dest_port=2455) AND NOT source_ip IN [authorized_ips]

📊 Metadata

CVE ID: CVE-2015-6472

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-255

Published: August 22, 2017

Last Updated: April 20, 2025

🔗 References

http://packetstormsecurity.com/files/136077/WAGO-IO-PLC-758-870-750-849-Credential-Management-Privilege-Separation.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2016/Mar/4 Exploit,Mailing List,Third Party Advisory,VDB Entry
http://www.securityfocus.com/bid/84138 Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/136077/WAGO-IO-PLC-758-870-750-849-Credential-Management-Privilege-Separation.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2016/Mar/4 Exploit,Mailing List,Third Party Advisory,VDB Entry
http://www.securityfocus.com/bid/84138 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-6472, you might also want to check these: