CVE-2022-50926
📋 TL;DR
This vulnerability in WAGO 750-8212 PFC200 G2 2ETH RS firmware allows attackers to escalate privileges by manipulating session cookies. Attackers can modify cookie parameters to gain administrative access without authentication. Organizations using affected WAGO programmable field controllers are at risk.
💻 Affected Systems
- WAGO 750-8212 PFC200 G2 2ETH RS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of industrial control systems, allowing attackers to modify PLC logic, disrupt operations, or cause physical damage to connected equipment.
Likely Case
Unauthorized administrative access to controller configuration, enabling manipulation of industrial processes, data theft, or preparation for further attacks.
If Mitigated
Limited impact if controllers are isolated in segmented networks with strict access controls and monitoring.
🎯 Exploit Status
Exploit requires only web access and cookie manipulation. Public exploit code exists on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check WAGO advisory for specific patched firmware version
Vendor Advisory: https://www.wago.com
Restart Required: Yes
Instructions:
1. Check current firmware version. 2. Download latest firmware from WAGO support portal. 3. Backup configuration. 4. Apply firmware update via web interface or SD card. 5. Verify update and restore configuration if needed.
🔧 Temporary Workarounds
Network Segmentation
allIsolate WAGO controllers in separate VLANs with strict firewall rules limiting access to authorized management stations only.
Disable Web Interface
allDisable the web management interface if not required, using alternative configuration methods.
🧯 If You Can't Patch
- Implement strict network access controls allowing only trusted IP addresses to access the controller web interface
- Deploy web application firewall rules to detect and block cookie manipulation attempts
🔍 How to Verify
Check if Vulnerable:
Access controller web interface, inspect session cookies for 'name' and 'roles' parameters that can be modified to gain admin access.Check Version:
Check firmware version in web interface under System Information or via SSH if enabledVerify Fix Applied:
After patching, attempt cookie manipulation exploit to confirm it no longer grants administrative privileges.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful admin access
- Session cookie modifications in web server logs
- Unusual administrative actions from non-admin users
Network Indicators:
- HTTP requests with modified cookie parameters
- Traffic to controller web interface from unexpected sources
SIEM Query:
source="web_logs" AND (cookie_modification OR roles="admin" AND user="non-admin")