{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wago-plc/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2024-1490"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2024-1490","wago-plc","openvpn","rce","code-injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2024-1490 describes a critical vulnerability affecting WAGO Programmable Logic Controllers (PLCs). A remote attacker with existing high-privilege access to the PLC\u0026rsquo;s web-based management interface can exploit the OpenVPN configuration. The vulnerability stems from insufficient input validation within the OpenVPN configuration settings. If the PLC\u0026rsquo;s OpenVPN setup permits user-defined scripts, a malicious actor can inject arbitrary shell commands. Successful exploitation allows the attacker to execute arbitrary code on the underlying operating system of the WAGO PLC, potentially leading to full device compromise. This vulnerability was reported by CERT VDE and impacts WAGO PLCs that utilize a vulnerable web-based management interface and permit user-defined scripts in their OpenVPN configuration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial high-privilege access to the WAGO PLC\u0026rsquo;s web-based management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the OpenVPN configuration section within the management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies that the OpenVPN configuration allows for user-defined scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious OpenVPN configuration file or injects malicious commands via existing configuration options. This configuration contains embedded shell commands designed for execution on the PLC.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or applies the modified OpenVPN configuration to the WAGO PLC through the web interface.\u003c/li\u003e\n\u003cli\u003eThe WAGO PLC processes the OpenVPN configuration, leading to the execution of the attacker-supplied shell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the underlying operating system of the WAGO PLC.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use this initial foothold to perform further actions, such as deploying malware, exfiltrating sensitive information, or disrupting industrial processes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-1490 allows an attacker to execute arbitrary code on a WAGO PLC. This can lead to complete compromise of the device, potentially affecting the industrial processes it controls. An attacker could disrupt operations, manipulate data, or use the compromised PLC as a pivot point for further attacks within the industrial network. The severity of the impact depends on the role of the compromised PLC within the industrial environment, potentially leading to significant financial losses, safety incidents, or reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRestrict access to the WAGO PLC\u0026rsquo;s web-based management interface by enforcing strong authentication and authorization mechanisms to prevent unauthorized access (refer to CVE-2024-1490).\u003c/li\u003e\n\u003cli\u003eDisable or restrict the use of user-defined scripts within the OpenVPN configuration to mitigate the risk of command injection (refer to CVE-2024-1490).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to OpenVPN configuration changes, looking for unusual POST requests or configuration parameters (see \u0026ldquo;rules\u0026rdquo; section below).\u003c/li\u003e\n\u003cli\u003eImplement regular security audits of WAGO PLC configurations, focusing on OpenVPN settings and user-defined scripts (refer to CVE-2024-1490).\u003c/li\u003e\n\u003cli\u003eReview and apply the security recommendations provided by CERT VDE in their advisory, available at \u003ca href=\"https://certvde.com/de/advisories/VDE-2024-008\"\u003ehttps://certvde.com/de/advisories/VDE-2024-008\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T11:16:19Z","date_published":"2026-04-09T11:16:19Z","id":"/briefs/2026-04-wago-plc-openvpn-rce/","summary":"An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC to achieve arbitrary command execution on the device.","title":"WAGO PLC OpenVPN Configuration Vulnerability (CVE-2024-1490)","url":"https://feed.craftedsignal.io/briefs/2026-04-wago-plc-openvpn-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Wago-Plc","version":"https://jsonfeed.org/version/1.1"}