The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
With special crafted requests it is possible to read and write some special parameters without authentication.
This vulnerability is different to advisory SAV-2020-014 / VDE-2020-028.
This vulnerability allows an attacker who has access to the WBM and knowledge about the directory structure of the WBM to read and/or write a settings-parameter of the devices by sending specifically constructed requests without authentication.
This can lead to malfunction of the application after reboot.
Update the device to the latest FW version.
Maxim Rupp (https://rupp.it) reported this vulnerability to WAGO.