CVE-2023-1150
📋 TL;DR
CVE-2023-1150 is a denial-of-service vulnerability in WAGO 750-3x/-8x series industrial controllers. Unauthenticated remote attackers can send specially crafted MODBUS packets to exhaust system resources and crash the MODBUS server. This affects organizations using vulnerable WAGO programmable logic controllers in industrial environments.
💻 Affected Systems
- WAGO 750-3x series
- WAGO 750-8x series
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of MODBUS communication, halting industrial processes controlled by the PLC, potentially causing production downtime, safety issues, or equipment damage.
Likely Case
Temporary loss of MODBUS connectivity requiring controller reboot, disrupting monitoring/control functions until service is restored.
If Mitigated
Limited impact with proper network segmentation and monitoring, allowing quick detection and isolation of attack traffic.
🎯 Exploit Status
Attack requires sending specially crafted MODBUS packets to exhaust resources. No authentication needed, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check WAGO firmware updates for specific version numbers
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2023-005/
Restart Required: Yes
Instructions:
1. Download latest firmware from WAGO support portal. 2. Backup current configuration. 3. Apply firmware update via WAGO configuration tool. 4. Restart controller. 5. Verify MODBUS functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate MODBUS traffic to trusted networks only
Firewall Rules
linuxRestrict MODBUS TCP port 502 access to authorized IP addresses only
iptables -A INPUT -p tcp --dport 502 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 502 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit MODBUS port 502 to trusted sources only
- Deploy intrusion detection systems to monitor for abnormal MODBUS traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check firmware version against vendor advisory. If MODBUS is enabled and firmware is unpatched, assume vulnerable.Check Version:
Use WAGO configuration tool or web interface to check firmware versionVerify Fix Applied:
Verify firmware version matches patched version in vendor advisory and test MODBUS functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual MODBUS request patterns
- Controller reboot events
- Resource exhaustion warnings
Network Indicators:
- High volume of MODBUS packets from single source
- Malformed MODBUS TCP packets
- Traffic to port 502 from unauthorized sources
SIEM Query:
source_port:502 AND (packet_count > threshold OR protocol_anomaly = true)