Security researchers have disclosed a vulnerability that potentially led to exposure of sensitive data and credential theft in WAGO products.
Headquartered in Germany with locations worldwide, WAGO creates networking solutions for industrial systems, the cloud, and edge engineering. Products include PLC controllers, touch panels, sensors, and industrial switches.
On January 16, researchers from ONEKEY published a security advisory exploring two issues impacting a range of WAGO solutions.
While the detection of a command injection vulnerability in WAGO Series PFC100 configuration API turned out to be a false positive, a path traversal bug was also flagged – and this pointed toward a dubious PHP file and separate security flaw.
According to the researchers, attackers could exploit an unauthenticated configuration export vulnerability in the system by using an emulated device.