CVE-2019-12549

WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW03 devices contain hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches the embedded private key.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
VendorProductVersion
wago852-303_firmware
𝑥
< 1.2.2.s0
wago852-1305_firmware
𝑥
< 1.1.6.s0
wago852-1505_firmware
𝑥
< 1.1.5.s0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cert.vde.com/en-us/advisories/vde-2019-013
https://ics-cert.us-cert.gov/advisories/ICSA-19-164-02
https://www.wago.com/us/
https://cert.vde.com/en-us/advisories/vde-2019-013
https://ics-cert.us-cert.gov/advisories/ICSA-19-164-02
https://www.wago.com/us/