VDE-2025-048
Vulnerability from csaf_wagogmbhcokg - Published: 2025-09-08 07:00 - Updated: 2025-09-08 07:00Summary
WAGO: Escalation of Privileges in Coupler Firmware
Severity
High
Notes
Summary: A design flaw in the file system management exposes internal system partitions - intended to be hidden - during brief moments when they are mounted by the firmware. These partitions contain sensitive data such as firmware and certificates. Although access to the file system is mediated by a Nucleus layer that supports permission control, these permissions are currently not enforced. As a result, services like FTP/SFTP may inadvertently gain access to critical internal resources, increasing the risk of unauthorized access or data leakage.
Impact: Due to the visibility of the internal partitions a low-privileged remote attacker can escalate privileges and can for example edit the firmware files.
Remediation: Update to Firmware version 13.
Mitigation: By default, FTP is disabled on these devices. To prevent exploitation of this vulnerability, it is recommended to also disable SFTP in firmware versions below 13 through the device's configuration settings.
A low-privileged remote attacker could gain unauthorized access to critical resources, such as firmware and certificates, due to improper permission handling during the runtime of services (e.g., FTP/SFTP). This access could allow the attacker to escalate privileges and modify firmware.
7.5 (High)
Vendor Fix
Update to Firmware version 13.
Mitigation
By default, FTP is disabled on these devices. To prevent exploitation of this vulnerability, it is recommended to also disable SFTP in firmware versions below 13 through the device's configuration settings.
References
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "High"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "A design flaw in the file system management exposes internal system partitions - intended to be hidden - during brief moments when they are mounted by the firmware. These partitions contain sensitive data such as firmware and certificates. Although access to the file system is mediated by a Nucleus layer that supports permission control, these permissions are currently not enforced. As a result, services like FTP/SFTP may inadvertently gain access to critical internal resources, increasing the risk of unauthorized access or data leakage.",
"title": "Summary"
},
{
"category": "description",
"text": "Due to the visibility of the internal partitions a low-privileged remote attacker can escalate privileges and can for example edit the firmware files.",
"title": "Impact"
},
{
"category": "description",
"text": "Update to Firmware version 13.",
"title": "Remediation"
},
{
"category": "description",
"text": "By default, FTP is disabled on these devices. To prevent exploitation of this vulnerability, it is recommended to also disable SFTP in firmware versions below 13 through the device\u0027s configuration settings.",
"title": "Mitigation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@wago.com",
"name": "WAGO GmbH \u0026 Co. KG",
"namespace": "https://www.wago.com/psirt"
},
"references": [
{
"category": "external",
"summary": "WAGO PSIRT",
"url": "https://www.wago.com/de-en/automation-technology/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for WAGO",
"url": "https://certvde.com/de/advisories/vendor/wago/"
},
{
"category": "self",
"summary": "VDE-2025-048: WAGO: Escalation of Privileges in Coupler Firmware - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-048"
},
{
"category": "self",
"summary": "VDE-2025-048: WAGO: Escalation of Privileges in Coupler Firmware - CSAF",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-048.json"
}
],
"title": "WAGO: Escalation of Privileges in Coupler Firmware",
"tracking": {
"aliases": [
"VDE-2025-048"
],
"current_release_date": "2025-09-08T07:00:00.000Z",
"generator": {
"date": "2025-09-05T09:45:45.351Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.34"
}
},
"id": "VDE-2025-048",
"initial_release_date": "2025-09-08T07:00:00.000Z",
"revision_history": [
{
"date": "2025-09-08T07:00:00.000Z",
"number": "1",
"summary": "initial version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "0750-0362",
"product": {
"name": "Coupler 0750-0362",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"0750-0362"
]
}
}
},
{
"category": "product_name",
"name": "0750-0362/0000-0001",
"product": {
"name": "Coupler 0750-0362/0000-0001",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"0750-0362/0000-0001"
]
}
}
},
{
"category": "product_name",
"name": "0750-0362/0040-0000",
"product": {
"name": "Coupler 0750-0362/0040-0000",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"0750-0362/0040-0000"
]
}
}
},
{
"category": "product_name",
"name": "0750-0362/K013-1080",
"product": {
"name": "Coupler 0750-0362/K013-1080",
"product_id": "CSAFPID-11004",
"product_identification_helper": {
"model_numbers": [
"0750-0362/K013-1080"
]
}
}
},
{
"category": "product_name",
"name": "0750-0362/K019-7576",
"product": {
"name": "Coupler 0750-0362/K019-7576",
"product_id": "CSAFPID-11005"
}
},
{
"category": "product_name",
"name": "0750-0363",
"product": {
"name": "Coupler 0750-0363",
"product_id": "CSAFPID-11006",
"product_identification_helper": {
"model_numbers": [
"0750-0363"
]
}
}
},
{
"category": "product_name",
"name": "0750-0363/0040-0000",
"product": {
"name": "Coupler 0750-0363/0040-0000",
"product_id": "CSAFPID-11007",
"product_identification_helper": {
"model_numbers": [
"0750-0363/0040-0000"
]
}
}
},
{
"category": "product_name",
"name": "0750-0364/0040-0010",
"product": {
"name": "Coupler 0750-0364/0040-0010",
"product_id": "CSAFPID-11008",
"product_identification_helper": {
"model_numbers": [
"0750-0364/0040-0010"
]
}
}
},
{
"category": "product_name",
"name": "0750-0365/0040-0010",
"product": {
"name": "Coupler 0750-0365/0040-0010",
"product_id": "CSAFPID-11009",
"product_identification_helper": {
"model_numbers": [
"0750-0365/0040-0010"
]
}
}
},
{
"category": "product_name",
"name": "0750-0366",
"product": {
"name": "Coupler 0750-0366",
"product_id": "CSAFPID-11010",
"product_identification_helper": {
"model_numbers": [
"0750-0366"
]
}
}
}
],
"category": "product_family",
"name": "Coupler"
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cFW13",
"product": {
"name": "WAGO Firmware \u003cFW13",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "FW13",
"product": {
"name": "WAGO Firmware FW13",
"product_id": "CSAFPID-22001"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "WAGO"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010"
],
"summary": "Affected products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware \u003cFW13 installed on Coupler 0750-0362",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware \u003cFW13 installed on Coupler 0750-0362/0000-0001",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware \u003cFW13 installed on Coupler 0750-0362/0040-0000",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware \u003cFW13 installed on Coupler 0750-0362/K013-1080",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware \u003cFW13 installed on Coupler 0750-0362/K019-7576",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware \u003cFW13 installed on Coupler 0750-0363",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware \u003cFW13 installed on Coupler 0750-0363/0040-0000",
"product_id": "CSAFPID-31007"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11007"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware \u003cFW13 installed on Coupler 0750-0364/0040-0010",
"product_id": "CSAFPID-31008"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11008"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware \u003cFW13 installed on Coupler 0750-0365/0040-0010",
"product_id": "CSAFPID-31009"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11009"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware \u003cFW13 installed on Coupler 0750-0366",
"product_id": "CSAFPID-31010"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11010"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware FW13 installed on Coupler 0750-0362",
"product_id": "CSAFPID-32001"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware FW13 installed on Coupler 0750-0362/0000-0001",
"product_id": "CSAFPID-32002"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware FW13 installed on Coupler 0750-0362/0040-0000",
"product_id": "CSAFPID-32003"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware FW13 installed on Coupler 0750-0362/K013-1080",
"product_id": "CSAFPID-32004"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware FW13 installed on Coupler 0750-0362/K019-7576",
"product_id": "CSAFPID-32005"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware FW13 installed on Coupler 0750-0363",
"product_id": "CSAFPID-32006"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware FW13 installed on Coupler 0750-0363/0040-0000",
"product_id": "CSAFPID-32007"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11007"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware FW13 installed on Coupler 0750-0364/0040-0010",
"product_id": "CSAFPID-32008"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11008"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware FW13 installed on Coupler 0750-0365/0040-0010",
"product_id": "CSAFPID-32009"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11009"
},
{
"category": "installed_on",
"full_product_name": {
"name": "WAGO Firmware FW13 installed on Coupler 0750-0366",
"product_id": "CSAFPID-32010"
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11010"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-41664",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "description",
"text": "A low-privileged remote attacker could gain unauthorized access to critical resources, such as firmware and certificates, due to improper permission handling during the runtime of services (e.g., FTP/SFTP). This access could allow the attacker to escalate privileges and modify firmware.",
"title": "Vulnerability Description"
},
{
"category": "details",
"text": "The internal file system is located on an eMMC in pSLC mode with a storage capacity of 4/8 GB. There are three partitions, two of which are not visible to the user and are used for storing firmware and certificates. Additionally, there is a user partition with a size of 1 GB. The FAT32 file system is accessible to the user via services such as SFTP. Access is managed through a Nucleus intermediary layer that supports permissions, although these are not currently utilized. Access permissions on the couplers are controlled by the permissions of the respective services accessing them. There is a vulnerability in the internal partitions that are normally not visible to the user (runtime system, FTP/SFTP). However, these partitions are momentarily mounted and visible for a fraction of a second when accessed from the firmware.",
"title": "Vulnerability Details"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008",
"CSAFPID-32009",
"CSAFPID-32010"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2025-05-21T10:00:00.000Z",
"details": "Update to Firmware version 13.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "mitigation",
"date": "2025-06-03T12:00:00.000Z",
"details": "By default, FTP is disabled on these devices. To prevent exploitation of this vulnerability, it is recommended to also disable SFTP in firmware versions below 13 through the device\u0027s configuration settings.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010"
]
}
],
"title": "CVE-2025-41664"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…