CVE-2021-21001
📋 TL;DR
This vulnerability allows authenticated attackers with network access to WAGO PFC200 devices to access the file system with elevated privileges via specially crafted packets. It affects industrial control systems using these programmable field controllers. Attackers can potentially read, modify, or delete critical system files.
💻 Affected Systems
- WAGO PFC200
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to modify firmware, steal credentials, disrupt industrial processes, or use the device as a pivot point into operational technology networks.
Likely Case
Unauthorized file system access leading to configuration theft, credential harvesting, or installation of persistent backdoors on affected devices.
If Mitigated
Limited impact if devices are properly segmented, monitored, and have strict access controls preventing unauthorized network connections.
🎯 Exploit Status
Exploitation requires authentication but could be combined with default credentials or credential harvesting. The path traversal vulnerability (CWE-22) suggests straightforward exploitation once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version 03.00.39(12) and later
Vendor Advisory: https://cert.vde.com/en-us/advisories/vde-2021-014
Restart Required: Yes
Instructions:
1. Download latest firmware from WAGO support portal. 2. Backup device configuration. 3. Upload and install firmware update via web interface or WAGO Service Tool. 4. Verify installation and restore configuration if needed.
🔧 Temporary Workarounds
Network segmentation
allIsolate PFC200 devices in dedicated VLANs with strict firewall rules limiting access to authorized management stations only.
Access control hardening
allChange default credentials, implement strong authentication, and restrict administrative access to specific IP addresses.
🧯 If You Can't Patch
- Implement strict network segmentation with firewall rules blocking all unnecessary traffic to affected devices
- Enable detailed logging and monitoring for unauthorized access attempts and file system modifications
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > Information) or using WAGO Service Tool. Compare against patched version 03.00.39(12).Check Version:
No single command - check via web interface or WAGO Service ToolVerify Fix Applied:
Verify firmware version shows 03.00.39(12) or later. Test file system access controls from authenticated sessions.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login
- Unusual file access patterns or modification timestamps
- Administrative actions from unexpected IP addresses
Network Indicators:
- Traffic to PFC200 devices from unauthorized networks
- Unusual packet patterns or crafted requests to device services
SIEM Query:
source_ip IN (unauthorized_networks) AND dest_ip IN (pfc200_devices) AND (event_type="authentication" OR event_type="file_access")