PT-2020-11080 · Wago · Wago Pfc 200

Published

2020-03-10

Updated

2020-03-18

CVE-2019-5157

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions WAGO PFC200 Firmware versions 03.00.39(12) through 03.02.02(14)

Description An exploitable command injection issue exists in the Cloud Connectivity functionality. An attacker can inject OS commands into the TimeoutUnconfirmed parameter value contained in the Firmware Update command.

Recommendations For versions 03.00.39(12) through 03.02.02(14), consider restricting access to the Firmware Update command to minimize the risk of exploitation. As a temporary workaround, avoid using the TimeoutUnconfirmed parameter in the Firmware Update command until a patch is available.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2019-5157

Affected Products

Wago Pfc 200

PT-2020-11080 · Wago · Wago Pfc 200

CVE-2019-5157

Weakness Enumeration

Related Identifiers

Affected Products

References · 4