CVE-2023-1698

CRITICAL EXPLOITED NUCLEI

WAGO Compact Controller 100 Firmware 20-22 - Unauthenticated OS Command Injection

Title source: llm

Exploitation Summary

CVE-2023-1698 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including X3RX3SSec, Chocapikk, ibrahmsql. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional PoC exploit for CVE-2023-1698, targeting WAGO PLCs via command injection in the `licenses.php` endpoint. It allows remote command execution by injecting shell commands into a JSON payload.

Description

In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.

Exploits (5)

nomisec WORKING POC 4 stars

by X3RX3SSec · remote

https://github.com/X3RX3SSec/CVE-2023-1698

View Code ZIP pw:eip

This is a functional PoC exploit for CVE-2023-1698, targeting WAGO PLCs via command injection in the `licenses.php` endpoint. It allows remote command execution by injecting shell commands into a JSON payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WAGO PLCs (specific version not specified)

No auth needed

Prerequisites: Network access to the target WAGO PLC · Python 3.x with `requests` library

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by Chocapikk · remote

https://github.com/Chocapikk/CVE-2023-1698

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-1698, targeting WAGO devices with an unauthenticated RCE vulnerability. The exploit sends a crafted payload to a specific endpoint, allowing arbitrary command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WAGO Web-Based Management (multiple products)

No auth needed

Prerequisites: Network access to the target device · Target running vulnerable WAGO software

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by ibrahmsql · remote

https://github.com/ibrahmsql/CVE-2023-1698

View Code ZIP pw:eip

This is a Go-based exploit for CVE-2023-1698, targeting WAGO devices. It sends a crafted JSON payload to execute arbitrary commands via a vulnerable endpoint, with support for both single and bulk URL scanning.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WAGO devices (specific version not explicitly stated)

No auth needed

Prerequisites: Network access to the target device · Vulnerable endpoint exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by thedarknessdied · remote

https://github.com/thedarknessdied/WAGO-CVE-2023-1698

View Code ZIP pw:eip

This repository contains a Python-based PoC for CVE-2023-1698, a remote code execution vulnerability in WAGO systems. The exploit allows unauthenticated attackers to create users, modify configurations, and execute commands via file inclusion or direct command injection.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WAGO electrical interconnection and automation systems (multiple products)

No auth needed

Prerequisites: Network access to vulnerable WAGO device · Python environment with required dependencies

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by deIndra · remote

https://github.com/deIndra/CVE-2023-1698

View Code ZIP pw:eip

This PoC exploits CVE-2023-1698 by sending a crafted POST request to a vulnerable endpoint, injecting arbitrary commands via the 'package' parameter in JSON data. It checks for successful execution by verifying the presence of a 'license' key in the response.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Web-based Management (WBM) plugin (specific version not specified)

No auth needed

Prerequisites: Network access to the target · Vulnerable endpoint exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WAGO - Remote Command Execution

CRITICALby xianke

Shodan: html:"/wbm/" html:"wago" || http.html:"/wbm/" html:"wago"

FOFA: body="/wbm/" html:"wago"

References (1)

Core 1

Core References

Third Party Advisory

https://cert.vde.com/en/advisories/VDE-2023-007/

Scores

CVSS v3 9.8

EPSS 0.9403

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2023-12-04

CWE

CWE-78

Status published

Products (7)

wago/compact_controller_100_firmware 20 - 23

wago/edge_controller_firmware 22

wago/pfc100_firmware 20 - 23

wago/pfc200_firmware 20 - 23

wago/touch_panel_600_advanced_firmware 22

wago/touch_panel_600_marine_firmware 22

wago/touch_panel_600_standard_firmware 22

Published May 15, 2023

Tracked Since Feb 18, 2026