All FW versions <= FW18 Patch 2 of the following products are affected:
By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or disrupt the device.
The I/O-Check service protocol is only needed during installation and commissioning, not during normal operations. It is highly recommended to disable the I/O-Check service after commissioning. This is the easiest and securest way to protect your device from the listed vulnerabilities and possible upcoming zero-day exploits.
Regardless to the action described above, the vulnerability has been fixed in FW18 Patch 3, released in June 2021.
We recommend all affected users to update to the latest firmware version.
These vulnerabilities were reported to WAGO by Uri Katz of Claroty. We thank CERT@VDE for the management of this coordinated disclosure.