Share: Email | Twitter




2020-03-09 10:05 (CET)

Last update

2020-03-09 10:05 (CET)


WAGO GmbH & Co. KG


Article No┬░ Product Name Affected Version(s)
750-81xx/xxx-xxx (PFC100) FW05 <= FW14
750-82xx/xxx-xxx (PFC200) FW05 <= FW14
762-4xxx FW05 <= FW14
762-5xxx FW05 <= FW14
762-6xxx FW05 <= FW14


With special crafted requests it is possible to get sensitive information, in this case the password hashes, by measuring response delay. With a substantial amount of time this data can be used to calculate the passwords of the Web-Based Management users. In case of CVE 2019-5134 , the password salt can also be extracted.


Last Update
April 14, 2020, 1:15 p.m.
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

An exploitable regular expression without anchors vulnerability exists in the Web-Based Management (WBM) authentication functionality of WAGO PFC200 versions 03.00.39(12) and 03.01.07(13), and WAGO PFC100 version 03.00.39(12). A specially crafted authentication request can bypass regular expression filters, resulting in sensitive information disclosure.

Last Update
April 14, 2020, 1:15 p.m.
Observable Discrepancy (CWE-203)

An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() function which can be exploited to disclose hashed user credentials. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12).


These vulnerabilities allow an experienced attacker who has access to the WBM to reconstruct the passwords hashes of the WBM users by sending specifically constructed requests.



  • Use strong passwords for all user accounts, especially for administrative user accounts on the device.
  • Follow the instructions in WAGOs handbook Cyber Security for Controller
  • Restrict network access to the device.
  • Do not directly connect the device to the internet
  • Disable unused TCP/UDP-ports


Update the devices to standard firmware 15 or later versions.

Reported by

These vulnerabilities were reported to WAGO by:

  • Daniel Szameitat, innogy SE
  • Jan Hoff, innogy SE
  • Daniel Patrick DeSantis, Cisco Talos
  • Lilith [-_-], Cisco Talos

Coordination done by CERT@VDE.