Connect with us

Hi, what are you looking for?



OT:Icefall: Vulnerabilities Identified in Wago Controllers

Forescout Technologies has disclosed the details of vulnerabilities impacting operational technology (OT) products from Wago and Schneider Electric.

OT Cybersecurity Webinar

Forescout Technologies has disclosed the details of three vulnerabilities impacting operational technology (OT) products from Wago and Schneider Electric.

The flaws were identified as part of the OT:Icefall research that has led to the public disclosure of 61 vulnerabilities impacting more than 100 OT products from 13 vendors.

After an initial set of 56 vulnerabilities disclosed in June 2022, Forescout shared the details of three more flaws in November 2022, and is now adding two new bugs to the list, while also sharing information on a previously identified but not disclosed issue.

Tracked as CVE-2023-1619 and CVE-2023-1620, the new vulnerabilities impact Wago 750 controllers using the Codesys v2 runtime and could be exploited by an authenticated attacker to cause a denial-of-service (DoS) condition, Forescout says.

The first issue is the result of a poor implementation of protocol parsers, while the second is an insufficient session expiration bug. The two flaws can be exploited by an authenticated attacker to crash a device, by sending a malformed packet or specific requests after being logged out, respectively.

Returning the device to the operating state requires a manual reboot in both cases, Forescout explains.

Used in commercial facilities, energy, manufacturing, and transport, Wago 750 automation controllers support a variety of protocols, including BACnet/IP, CANopen, DeviceNet Ethernet/IP, KNX, LonWorks, Modbus, and PROFIBUS.

Advertisement. Scroll to continue reading.

Forescout also shared details on a high-severity vulnerability in Schneider Electric ION and PowerLogic product lines, which was identified in the first set of OT:Icefall bugs, but not made public at the request of the vendor.

Tracked as CVE-2022-46680, the issue impacts the power meters’ ION/TCP protocol implementation, which transmits a user ID and password in plaintext with every message, thus exposing them to an attacker that can passively intercept traffic.

“An attacker who obtains ION or PowerLogic credentials can authenticate to the ION/TCP engineering interface as well as SSH and HTTP interfaces to change energy monitor configuration settings and potentially modify firmware. If the credentials in question are (re)used for other applications, their compromise could potentially facilitate lateral movement,” Forescout explains.

These devices should not be accessible from the internet, but Forescout says it has identified between 2,000 and 4,000 potentially unique devices that are exposed online.

Most of the identified Wago controllers have the HTTP protocol exposed, while the Schneider Electric meters expose the Telnet protocol. Wago devices are highly popular in Europe (mainly in Germany, Turkey and France), while ION meters are popular in North America.

Concluding the one-year OT:Icefall research, Forescout notes that it has identified several instances of incomplete patches, including some that originate in software supply-chain components that led to new vulnerabilities.

With advisories issued for most of the discovered flaws (except for bugs in Emerson’s Ovation distributed control system), vendor response to OT:Icefall was good, especially if compared to the 2021 Project Memoria research that identified roughly 100 vulnerabilities in TCP/IP stacks, for which only 22.5% of the impacted vendors have issued advisories.

Related: Ripple20: Flaws in Treck TCP/IP Stack Expose Millions of IoT Devices to Attacks

Related: ‘AMNESIA:33’ Vulnerabilities in TCP/IP Stacks Expose Millions of Devices to Attacks

Related: Vulnerabilities in TCP/IP Stacks Allow for TCP Connection Hijacking, Spoofing

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.