Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-1698

CVE-2023-1698: Wago Compact Controller Auth Bypass Flaw

CVE-2023-1698 is an authentication bypass vulnerability in Wago Compact Controller 100 Firmware allowing remote attackers to create users and alter device configurations. This article covers technical details, impact, and mitigations.

Published:

CVE-2023-1698 Overview

CVE-2023-1698 is a critical command injection vulnerability affecting multiple WAGO industrial control products, including PLCs and touch panel devices. The vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration, which can result in unintended behavior, Denial of Service, and full system compromise.

Critical Impact

Unauthenticated remote attackers can achieve full system compromise on affected WAGO industrial controllers through command injection, potentially disrupting critical industrial processes.

Affected Products

  • WAGO Compact Controller 100 (all firmware versions)
  • WAGO Edge Controller (firmware version 22)
  • WAGO PFC100 (all firmware versions)
  • WAGO PFC200 (all firmware versions)
  • WAGO Touch Panel 600 Advanced (firmware version 22)
  • WAGO Touch Panel 600 Marine (firmware version 22)
  • WAGO Touch Panel 600 Standard (firmware version 22)

Discovery Timeline

  • 2023-05-15 - CVE-2023-1698 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-1698

Vulnerability Analysis

This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw exists in the web-based management interface of affected WAGO devices, allowing attackers to inject arbitrary operating system commands through user-controllable input fields.

The vulnerability requires no authentication and can be exploited remotely over the network, making it particularly dangerous for internet-exposed or poorly segmented industrial environments. Successful exploitation grants attackers the ability to create new user accounts with administrative privileges, modify device configurations that control industrial processes, and achieve complete system compromise with full control over the device's operating system.

Root Cause

The root cause of CVE-2023-1698 is improper input validation and sanitization in the device's web management interface. User-supplied input is passed directly to underlying operating system commands without proper neutralization of special characters or command delimiters. This allows attackers to break out of the intended command context and execute arbitrary commands with the privileges of the web service process.

Attack Vector

The attack vector for CVE-2023-1698 is network-based, requiring no authentication or user interaction. An attacker with network access to the vulnerable device's web management interface can craft malicious HTTP requests containing specially formatted payloads with OS command injection sequences.

The exploitation process typically involves:

  1. Identifying a network-accessible WAGO device with an exposed management interface
  2. Crafting HTTP requests with malicious payloads containing shell metacharacters and commands
  3. Submitting the crafted requests to vulnerable endpoint parameters
  4. Achieving command execution under the context of the web service

Since no authentication is required, the attacker does not need valid credentials to exploit this vulnerability. The injected commands execute with the privileges of the web application, which on embedded industrial controllers often provides root-level access to the underlying Linux-based operating system.

Detection Methods for CVE-2023-1698

Indicators of Compromise

  • Unexpected user accounts created on WAGO devices, particularly those with administrative privileges
  • Unexplained configuration changes to PLCs or touch panels, including modified network settings or process parameters
  • Anomalous HTTP requests to the web management interface containing shell metacharacters such as ;, |, &&, or backticks
  • Unusual outbound network connections from industrial control devices attempting to reach external IP addresses

Detection Strategies

  • Monitor web server logs on WAGO devices for requests containing command injection patterns or encoded shell metacharacters
  • Implement network intrusion detection rules to identify malicious payloads targeting WAGO management interfaces
  • Deploy application-layer firewalls with signatures for OS command injection attempts
  • Audit user accounts and configuration changes on all affected WAGO devices regularly

Monitoring Recommendations

  • Establish baseline behavior for WAGO device network traffic and alert on deviations
  • Enable verbose logging on industrial control devices where possible and forward logs to a centralized SIEM
  • Monitor for unexpected process creation or file system modifications on affected devices
  • Implement network segmentation monitoring to detect unauthorized access attempts to ICS/SCADA networks

How to Mitigate CVE-2023-1698

Immediate Actions Required

  • Isolate affected WAGO devices from untrusted networks immediately, ensuring they are not accessible from the internet
  • Implement strict network segmentation between IT and OT environments with appropriate firewall rules
  • Restrict access to the web management interface to trusted administrative workstations only
  • Audit all user accounts on affected devices and remove any unauthorized accounts
  • Review device configurations for unauthorized modifications and restore from known-good backups if necessary

Patch Information

WAGO has released firmware updates to address this vulnerability. Administrators should consult the VDE Security Advisory VDE-2023-007 for detailed patch information and updated firmware versions for all affected products. Apply the latest firmware updates during the next available maintenance window following proper change management procedures.

Workarounds

  • Disable or restrict access to the web-based management interface if not required for operations
  • Implement network-level access controls using firewalls to limit connectivity to the management interface to specific trusted IP addresses
  • Deploy a reverse proxy or web application firewall in front of the management interface with input validation rules
  • Use VPN connections for remote administrative access rather than exposing management interfaces directly
bash
# Example iptables rules to restrict management interface access
# Restrict web management interface (typically port 80/443) to trusted admin subnet
iptables -A INPUT -p tcp --dport 80 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne