CVE-2021-20998
📋 TL;DR
This critical vulnerability in WAGO managed switches allows unauthenticated attackers to create new user accounts via specially crafted network packets. This affects multiple WAGO switch models running vulnerable firmware versions, potentially giving attackers administrative access to industrial network infrastructure.
💻 Affected Systems
- WAGO managed switches (multiple models)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative control of industrial switches, enabling network disruption, data exfiltration, or lateral movement into critical operational technology networks.
Likely Case
Unauthorized users gain administrative access to switches, allowing configuration changes, network monitoring, or denial of service attacks.
If Mitigated
If switches are isolated from untrusted networks and have proper access controls, impact is limited to authorized network segments only.
🎯 Exploit Status
Unauthenticated remote code execution with specially crafted packets; exploit development is straightforward given the vulnerability details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific firmware updates for each switch model
Vendor Advisory: https://cert.vde.com/en-us/advisories/vde-2021-013
Restart Required: Yes
Instructions:
1. Identify affected WAGO switch models. 2. Download latest firmware from WAGO support portal. 3. Backup current configuration. 4. Apply firmware update via management interface. 5. Verify update and restore configuration if needed.
🔧 Temporary Workarounds
Network segmentation
allIsolate WAGO switches from untrusted networks and restrict management interface access
Access control lists
allImplement strict network ACLs to limit traffic to switch management interfaces
🧯 If You Can't Patch
- Segment switches into isolated VLANs with strict firewall rules
- Disable remote management interfaces if not required
🔍 How to Verify
Check if Vulnerable:
Check switch firmware version against WAGO advisory; if running vulnerable version and exposed to network traffic, device is vulnerable.Check Version:
Check via switch web interface or CLI: 'show version' or equivalentVerify Fix Applied:
Verify firmware version is updated to patched version listed in WAGO advisory.📡 Detection & Monitoring
Log Indicators:
- Unexpected user account creation
- Authentication attempts from unknown IPs
- Configuration changes without authorization
Network Indicators:
- Unusual traffic to switch management ports (TCP/80, TCP/443, TCP/22)
- Suspicious packets to switch management interfaces
SIEM Query:
source_ip=* AND (dest_port=80 OR dest_port=443 OR dest_port=22) AND dest_ip=[switch_ip] AND event_type=authentication_failure