CVE-2023-4149 CRITICAL

CVE-2023-4149: WAGO: OS Command Injection Vulnerability in Managed Switch

Vendor Wago

Product Industrial Managed Switch (0852-0602)

Weakness CWE-78

Published November 21, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the web-based management allows an unauthenticated remote attacker to inject arbitrary system commands and gain full system control. Those commands are executed with root privileges. The vulnerability is located in the user request handling of the web-based management.

Key dates

02Disclosure timeline

November 21, 2023 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-4149

Related vulnerabilities

Identifiers

CVE CVE-2023-4149

CWE CWE-78

CVSS 9.8 / CRITICAL

Affected versions

Vendor Wago

Product Industrial Managed Switch (0852-0602)

Affected < 1.0.6.S0

Vendor Wago

Product Industrial Managed Switch (0852-0603)

Affected < 1.0.6.S0

Vendor Wago

Product Industrial Managed Switch (0852-1605)

Affected < 1.2.5.S0

CVE-2023-4149: WAGO: OS Command Injection Vulnerability in Managed Switch

01Description

02Disclosure timeline

03References

04Related CVE