CVE-2023-1698

EUVD-2023-23926
In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CERTVDECNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
wagocompact_controller_100_firmware
20 ≤
𝑥
≤ 23
wagopfc100_firmware
20 ≤
𝑥
≤ 23
wagopfc200_firmware
20 ≤
𝑥
≤ 23
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cert.vde.com/en/advisories/VDE-2023-007/
https://cert.vde.com/en/advisories/VDE-2023-007/