VDE-2026-002
Vulnerability from csaf_endresshauserag - Published: 2026-03-02 07:00 - Updated: 2026-03-02 07:00Summary
Endress+Hauser: buffer overflow in glibc ld.so leading to privilege escalation
Severity
High
Notes
Summary: A vulnerability has been identified in WAGO devices utilized in Endress+Hauser IoT solutions. WAGO has provided fixes for these vulnerabilities, which have been integrated into the solutions by Endress+Hauser.
Impact: An on-premises attacker could escalate application privileges to root level. This would enable the execution of arbitrary code with root privileges, allowing the attacker to modify configurations and manipulate measurement outputs.
Mitigation: Local access is required to exploit this vulnerability. To mitigate the risk, ensure that only authorized personnel have physical access to the device.
Remediation: Endress+Hauser provides updated firmware versions for the related components from WAGO which fixes the vulnerability. Endress+Hauser strongly recommends customers to update to the new fixed version. For support, please contact your local service center.
General Recommendation: Endress+Hauser recommends using the solutions only in a secure environment and to allow access to their components only to authorized persons.
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
7.8 (High)
Mitigation
Local access is required to exploit this vulnerability. To mitigate the risk, ensure that only authorized personnel have physical access to the device.
Vendor Fix
Endress+Hauser provides updated firmware versions for the related components from WAGO which fixes the vulnerability. Endress+Hauser strongly recommends customers to update to the new fixed version. For support, please contact your local service center.
References
| URL | Category | |
|---|---|---|
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "high"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "A vulnerability has been identified in WAGO devices utilized in Endress+Hauser IoT solutions. WAGO has provided fixes for these vulnerabilities, which have been integrated into the solutions by Endress+Hauser. ",
"title": "Summary"
},
{
"category": "description",
"text": "An on-premises attacker could escalate application privileges to root level. This would enable the execution of arbitrary code with root privileges, allowing the attacker to modify configurations and manipulate measurement outputs. ",
"title": "Impact"
},
{
"category": "description",
"text": "Local access is required to exploit this vulnerability. To mitigate the risk, ensure that only authorized personnel have physical access to the device. ",
"title": "Mitigation"
},
{
"category": "description",
"text": "Endress+Hauser provides updated firmware versions for the related components from WAGO which fixes the vulnerability. Endress+Hauser strongly recommends customers to update to the new fixed version. For support, please contact your local service center. ",
"title": "Remediation"
},
{
"category": "general",
"text": "Endress+Hauser recommends using the solutions only in a secure environment and to allow access to their components only to authorized persons. ",
"title": "General Recommendation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@endress.com",
"name": "Endress+Hauser AG",
"namespace": "https://www.endress.com"
},
"references": [
{
"category": "external",
"summary": "Endress+Hauser",
"url": "https://www.endress.com"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Endress+Hauser",
"url": "https://certvde.com/en/advisories/vendor/endress+hauser"
},
{
"category": "self",
"summary": "VDE-2026-002: Endress+Hauser: buffer overflow in glibc ld.so leading to privilege escalation - HTML",
"url": "https://certvde.com/en/advisories/VDE-2026-002"
},
{
"category": "self",
"summary": "VDE-2026-002: Endress+Hauser: buffer overflow in glibc ld.so leading to privilege escalation - CSAF",
"url": "https://endress-hauser.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-002.json"
}
],
"title": "Endress+Hauser: buffer overflow in glibc ld.so leading to privilege escalation",
"tracking": {
"aliases": [
"VDE-2026-002"
],
"current_release_date": "2026-03-02T07:00:00.000Z",
"generator": {
"date": "2026-03-02T06:28:34.891Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.43"
}
},
"id": "VDE-2026-002",
"initial_release_date": "2026-03-02T07:00:00.000Z",
"revision_history": [
{
"date": "2026-03-02T07:00:00.000Z",
"number": "1.0.0",
"summary": "Initial version"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CC 100 (751-9301) ",
"product": {
"name": "Endress+Hauser CC 100 (751-9301) ",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"cpe": "cpe:2.3:h:wago:cc_100:*:*:*:*:*:*:*:*",
"model_numbers": [
"751-9301"
]
}
}
},
{
"category": "product_name",
"name": "PFC 200 (750-82xx/xxx-xxx) ",
"product": {
"name": "Endress+Hauser PFC 200 (750-82xx/xxx-xxx) ",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"cpe": "cpe:2.3:h:wago:pfc_200:*:*:*:*:*:*:*:*",
"model_numbers": [
"750-82??"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version",
"name": "FW 23",
"product": {
"name": "Firmware FW 23 ",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "FW 28",
"product": {
"name": "Firmware FW 28",
"product_id": "CSAFPID-22001"
}
},
{
"category": "product_version_range",
"name": "vers:generic/\u003c=FW 23",
"product": {
"name": "Firmware \u003c=FW 23",
"product_id": "CSAFPID-21002"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "WAGO"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004"
],
"summary": "Affected Products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002"
],
"summary": "Fixed Products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware FW 23 installed on CC 100 (751-9301) ",
"product_id": "CSAFPID-31001",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:cc_100_firmware:fw23:*:*:*:*:*:*:*"
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware FW 28 installed on CC 100 (751-9301) ",
"product_id": "CSAFPID-32001",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:cc_100_firmware:fw28:*:*:*:*:*:*:*"
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware FW 23 installed on PFC 200 (750-82xx/xxx-xxx) ",
"product_id": "CSAFPID-31002",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:pfc_200_firmware:fw23:*:*:*:*:*:*:*"
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware FW 28 installed on PFC 200 (750-82xx/xxx-xxx) ",
"product_id": "CSAFPID-32002",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:pfc_200_firmware:fw28:*:*:*:*:*:*:*"
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW 23 installed on CC 100 (751-9301) ",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW 23 installed on PFC 200 (750-82xx/xxx-xxx) ",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11002"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-4911",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"audience": "all",
"category": "description",
"text": "A buffer overflow was discovered in the GNU C Library\u0027s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004"
],
"last_affected": [
"CSAFPID-31001",
"CSAFPID-31002"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Local access is required to exploit this vulnerability. To mitigate the risk, ensure that only authorized personnel have physical access to the device. ",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "Endress+Hauser provides updated firmware versions for the related components from WAGO which fixes the vulnerability. Endress+Hauser strongly recommends customers to update to the new fixed version. For support, please contact your local service center. ",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 7.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004"
]
}
],
"title": "CVE-2023-4911"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…