CVE-2019-5160
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
33.2%
An exploitable improper host validation vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200 Firmware versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). A specially crafted HTTPS POST request can cause the software to connect to an unauthorized host, resulting in unauthorized access to firmware update functionality. An attacker can send an authenticated HTTPS POST request to direct the Cloud Connectivity software to connect to an attacker controlled Azure IoT Hub node.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| wago | pfc200_firmware | 03.00.39(12) | cpe:2.3:o:wago:pfc200_firmware:03.00.39\(12\):*:*:*:*:*:*:* |
| wago | pfc200_firmware | 03.01.07(13) | cpe:2.3:o:wago:pfc200_firmware:03.01.07\(13\):*:*:*:*:*:*:* |
| wago | pfc200_firmware | 03.02.02(14) | cpe:2.3:o:wago:pfc200_firmware:03.02.02\(14\):*:*:*:*:*:*:* |
| wago | pfc200 | - | cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
33.2%