CVE-2020-12516
📋 TL;DR
This vulnerability affects older firmware versions of WAGO PLC family 750-88x and 750-352 devices, allowing a special denial of service attack that can disrupt industrial control operations. Organizations using these specific programmable logic controllers with vulnerable firmware are at risk of operational disruption.
💻 Affected Systems
- WAGO PLC 750-88x series
- WAGO PLC 750-352
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of industrial processes controlled by the PLC, potentially causing production downtime, safety system failures, or equipment damage in critical infrastructure environments.
Likely Case
Temporary unavailability of the PLC requiring manual reboot, causing production interruptions and requiring operator intervention to restore normal operations.
If Mitigated
Minimal impact with proper network segmentation and monitoring, allowing quick detection and isolation of attack traffic before service disruption occurs.
🎯 Exploit Status
The advisory describes a 'special denial of service attack' but does not provide technical details about the exploit mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions after FW10
Vendor Advisory: https://cert.vde.com/en-us/advisories/vde-2020-042
Restart Required: Yes
Instructions:
1. Download latest firmware from WAGO support portal. 2. Backup PLC configuration. 3. Upload new firmware via programming software. 4. Restore configuration. 5. Verify operation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PLCs in dedicated industrial network segments with strict firewall rules to limit access.
Access Control Lists
allImplement network ACLs to restrict traffic to PLCs from authorized sources only.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PLCs from untrusted networks
- Deploy industrial intrusion detection systems to monitor for DoS attack patterns
🔍 How to Verify
Check if Vulnerable:
Check firmware version via WAGO programming software or web interface; versions FW1-FW10 are vulnerable.Check Version:
Use WAGO e!COCKPIT or web interface to check firmware versionVerify Fix Applied:
Confirm firmware version is above FW10 using WAGO programming software or device interface.📡 Detection & Monitoring
Log Indicators:
- Unusual traffic patterns to PLC ports
- PLC reboot events
- Connection attempts from unauthorized sources
Network Indicators:
- High volume of traffic to PLC management ports
- Unusual protocol patterns targeting PLCs
SIEM Query:
source_ip=* AND dest_ip=PLC_IP AND (port=502 OR port=80 OR port=443) AND bytes_sent>threshold