CVE-2019-12549 – WAGO industrial controllers contain hardcoded S... (How to Fix)

Q: What is the severity of CVE-2019-12549?

CVE-2019-12549 has a CVSS score of 9.8 (CRITICAL). WAGO industrial controllers contain hardcoded SSH private keys, allowing attackers to impersonate legitimate devices and gain unauthorized access. This affects WAGO 852-303, 852-1305, and 852-1505 devices with outdated firmware. Attackers can potentially compromise industrial control systems.

📋 TL;DR

WAGO industrial controllers contain hardcoded SSH private keys, allowing attackers to impersonate legitimate devices and gain unauthorized access. This affects WAGO 852-303, 852-1305, and 852-1505 devices with outdated firmware. Attackers can potentially compromise industrial control systems.

💻 Affected Systems

Products:

WAGO 852-303
WAGO 852-1305
WAGO 852-1505

Versions: 852-303 before FW06, 852-1305 before FW06, 852-1505 before FW03

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with affected firmware versions contain the hardcoded keys by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems leading to operational disruption, data theft, or physical damage to critical infrastructure.

🟠

Likely Case

Unauthorized access to device configuration, potential lateral movement within industrial networks, and data exfiltration.

🟢

If Mitigated

Limited impact if devices are isolated in segmented networks with strict access controls and monitoring.

🌐 Internet-Facing: HIGH - If devices are exposed to the internet, attackers can easily exploit this vulnerability.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires SSH access to the device, but the hardcoded keys make authentication trivial for attackers who obtain the public key fingerprint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 852-303 FW06, 852-1305 FW06, 852-1505 FW03

Vendor Advisory: https://cert.vde.com/en-us/advisories/vde-2019-013

Restart Required: Yes

Instructions:

1. Download updated firmware from WAGO website. 2. Backup device configuration. 3. Apply firmware update via web interface or management tool. 4. Verify SSH host key has changed after update.

🔧 Temporary Workarounds

Disable SSH access

linux

Temporarily disable SSH service if not required for operations.

systemctl stop sshd
systemctl disable sshd

Restrict SSH access

linux

Limit SSH access to specific IP addresses using firewall rules.

iptables -A INPUT -p tcp --dport 22 -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

🧯 If You Can't Patch

Isolate affected devices in segmented network zones with strict firewall rules.
Implement network monitoring and intrusion detection for SSH connection attempts.

🔍 How to Verify

Check if Vulnerable:

Check SSH host key fingerprint: ssh-keyscan -t rsa [DEVICE_IP] | ssh-keygen -lf -

Check Version:

Check firmware version via web interface or SSH command: cat /etc/issue

Verify Fix Applied:

Verify SSH host key fingerprint differs from known hardcoded keys after patching.

📡 Detection & Monitoring

Log Indicators:

Failed SSH authentication attempts
Successful SSH logins from unexpected sources
SSH host key mismatch warnings

Network Indicators:

SSH connections to industrial devices from unauthorized IPs
SSH traffic patterns inconsistent with normal operations

SIEM Query:

source="ssh.log" (event="Accepted publickey" OR event="Failed publickey") dest_ip="[INDUSTRIAL_DEVICE_IP]"

📊 Metadata

CVE ID: CVE-2019-12549

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: June 17, 2019

Last Updated: November 21, 2024

🔗 References

https://cert.vde.com/en-us/advisories/vde-2019-013 Third Party Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-19-164-02 Third Party Advisory,US Government Resource
https://www.wago.com/us/ Vendor Advisory
https://cert.vde.com/en-us/advisories/vde-2019-013 Third Party Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-19-164-02 Third Party Advisory,US Government Resource
https://www.wago.com/us/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-12549, you might also want to check these: