CVE-2019-5166 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2019-5166?

CVE-2019-5166 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote code execution on WAGO PFC 200 devices through a stack buffer overflow in the iocheckd service. Attackers can exploit it by sending a specially crafted packet that triggers parsing of a malicious XML cache file. This affects industrial control systems using vulnerable WAGO PFC 200 devices.

📋 TL;DR

This vulnerability allows remote code execution on WAGO PFC 200 devices through a stack buffer overflow in the iocheckd service. Attackers can exploit it by sending a specially crafted packet that triggers parsing of a malicious XML cache file. This affects industrial control systems using vulnerable WAGO PFC 200 devices.

💻 Affected Systems

Products:

WAGO PFC 200

Versions: 03.02.02(14)

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The iocheckd service runs by default on affected devices.

📦 What is this software?

Pfc200 Firmware by Wago

View all CVEs affecting Pfc200 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attackers to execute arbitrary code, disrupt industrial processes, pivot to other systems, or establish persistent access.

🟠

Likely Case

Device takeover leading to operational disruption, data manipulation, or lateral movement within industrial networks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to the device and ability to write a malicious XML file to a specific location.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 03.02.02(15) or later

Vendor Advisory: https://www.wago.com/global/support/product-security/security-advisories

Restart Required: Yes

Instructions:

1. Download firmware update from WAGO support portal. 2. Backup device configuration. 3. Apply firmware update via WAGO web interface or maintenance tool. 4. Restart device. 5. Verify version is 03.02.02(15) or later.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate WAGO PFC 200 devices in dedicated network segments with strict firewall rules.

Service Disablement

linux

Disable the iocheckd service if not required for operations.

systemctl stop iocheckd
systemctl disable iocheckd

🧯 If You Can't Patch

Implement strict network access controls to limit connections to WAGO devices
Monitor for suspicious file writes to the XML cache location and network traffic to iocheckd service

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or SSH: cat /etc/version

Check Version:

cat /etc/version

Verify Fix Applied:

Verify version is 03.02.02(15) or later and iocheckd service is updated/stopped

📡 Detection & Monitoring

Log Indicators:

Unusual file writes to XML cache location
iocheckd service crashes or abnormal behavior
Unexpected network connections to port 6626

Network Indicators:

Traffic to port 6626 (iocheckd) with malformed XML content
Unusual outbound connections from WAGO device

SIEM Query:

source="wagopfc" AND (event="service_crash" OR event="file_write") AND path="*cache*.xml"

📊 Metadata

CVE ID: CVE-2019-5166

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 11, 2020

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0961 Exploit,Mitigation,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0961 Exploit,Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-5166, you might also want to check these: