CVE-2023-1698 CRITICAL

CVE-2023-1698: WAGO: WBM Command Injection in multiple products

Vendor Wago

Product Compact Controller CC100

Weakness CWE-78

Published May 15, 2023

Last update January 23, 2025

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.

Key dates

02Disclosure timeline

May 15, 2023 CVE published

January 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-1698 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2023-1698

CWE CWE-78

CVSS 9.8 / CRITICAL

Affected versions

Vendor Wago

Product Compact Controller CC100

Affected ≥ FW20 and ≤ FW22

Vendor Wago

Product Compact Controller CC100

Affected FW23

Vendor Wago

Product Edge Controller

Affected FW22

Vendor Wago

Product PFC100

Affected ≥ FW20 and ≤ FW22

Vendor Wago

Product PFC100

Affected FW23

Vendor Wago

Product PFC200

Affected ≥ FW20 and ≤ FW22

Vendor Wago

Product PFC200

Affected FW23

Vendor Wago

Product Touch Panel 600 Advanced Line

Affected FW22

Vendor Wago

Product Touch Panel 600 Marine Line

Affected FW22

Vendor Wago

Product Touch Panel 600 Standard Line

Affected FW22

CVE-2023-1698: WAGO: WBM Command Injection in multiple products

01Description

02Disclosure timeline

03References

04Related CVE