CVE-2020-12506
📋 TL;DR
This vulnerability allows unauthenticated attackers to change device settings on affected WAGO programmable logic controllers by sending specially crafted requests. It affects WAGO 750-8XX series devices running firmware version FW03 or earlier. This impacts industrial control systems using these vulnerable devices.
💻 Affected Systems
- WAGO 750-362
- WAGO 750-363
- WAGO 750-823
- WAGO 750-832/xxx-xxx
- WAGO 750-862
- WAGO 750-891
- WAGO 750-890/xxx-xxx
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems leading to physical damage, production shutdowns, or safety incidents through unauthorized configuration changes.
Likely Case
Unauthorized modification of device settings causing operational disruption, data manipulation, or creation of backdoors for further attacks.
If Mitigated
Limited impact if devices are isolated in protected networks with proper segmentation and monitoring.
🎯 Exploit Status
The vulnerability requires specially crafted requests but no authentication, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions after FW03
Vendor Advisory: https://cert.vde.com/en-us/advisories/vde-2020-028
Restart Required: Yes
Instructions:
1. Download latest firmware from WAGO support portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface or configuration tool. 4. Restart device. 5. Restore configuration if needed.
🔧 Temporary Workarounds
Network segmentation
allIsolate affected devices in separate VLANs with strict firewall rules limiting access to authorized management systems only.
Access control lists
allImplement network ACLs to restrict access to device management interfaces to specific IP addresses.
🧯 If You Can't Patch
- Segment devices in isolated networks with no internet access
- Implement strict firewall rules allowing only necessary traffic from authorized sources
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface or configuration tool. If version is FW03 or earlier, device is vulnerable.Check Version:
Check via web interface at http://<device_ip>/wbm or using WAGO configuration toolsVerify Fix Applied:
Verify firmware version is greater than FW03 after patching. Test that unauthenticated configuration requests are rejected.📡 Detection & Monitoring
Log Indicators:
- Unauthorized configuration change attempts
- Multiple failed authentication attempts followed by configuration changes
- Configuration changes from unexpected source IPs
Network Indicators:
- Unusual HTTP POST requests to device configuration endpoints
- Configuration traffic from unauthorized IP addresses
SIEM Query:
source_ip NOT IN (authorized_management_ips) AND (uri_path CONTAINS "/config" OR uri_path CONTAINS "/settings") AND http_method="POST"