PT-2020-11079 · Wago · Wago Pfc 200

Published

2020-03-10

Updated

2020-03-18

CVE-2019-5156

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WAGO PFC200 versions 03.00.39(12) through 03.02.02(14)

Description An exploitable command injection issue exists in the cloud connectivity functionality. An attacker can inject operating system commands into the TimeoutPrepared parameter value contained in the firmware update command.

Recommendations For versions 03.00.39(12) through 03.02.02(14), consider restricting access to the firmware update command to minimize the risk of exploitation. As a temporary workaround, avoid using the TimeoutPrepared parameter in the firmware update command until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2019-5156

Affected Products

Wago Pfc 200

PT-2020-11079 · Wago · Wago Pfc 200

CVE-2019-5156

Weakness Enumeration

Related Identifiers

Affected Products

References · 4