Home
HIGH: 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HDefault status
unaffected
0.0.0 (semver)
affected
Default status
unaffected
0.0.0 (semver)
affected
Default status
unaffected
0.0.0 (semver)
affected
Default status
unaffected
0.0.0 (semver)
affected
Default status
unaffected
0.0.0 (semver)
affected
Default status
unaffected
0.0.0 (semver)
affected
Default status
unaffected
0.0.0 (semver)
affected
Default status
unaffected
0.0.0 (semver)
affected
Default status
unaffected
0.0.0 (semver)
affected
Default status
unaffected
0.0.0
affected
Default status
unaffected
0.0.0 (semver)
affected
Default status
unaffected
0.0.0 (semver)
affected
Default status
unaffected
0.0.0 (semver)
affected
Description
An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on the device.
Problem types
CWE-94 Improper Control of Generation of Code ('Code Injection')
Product status
0.0.0 (semver)
0.0.0 (semver)
0.0.0 (semver)
0.0.0 (semver)
0.0.0 (semver)
0.0.0 (semver)
0.0.0 (semver)
0.0.0 (semver)
0.0.0 (semver)
0.0.0
0.0.0 (semver)
0.0.0 (semver)
0.0.0 (semver)
Credits
Jeroen Wijenbergh, Floris Hendriks from Radboud University
References
certvde.com/de/advisories/VDE-2024-008
wago.csaf-tp.certvde.com/...saf/white/2026/vde-2024-008.json