CVE-2022-50926
Privilege Escalation via Session Cookie Manipulation in WAGO PFC200 Firmware
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wago | 750-8212_pfc200_g2_2eth_rs | 03.05.10(17) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-565 | The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the WAGO 750-8212 PFC200 G2 2ETH RS device firmware, allowing attackers to escalate their privileges from a normal user to an administrator by manipulating the user session cookies. Specifically, attackers can modify the 'name' and 'roles' parameters within the cookie to gain administrative access without authentication. This occurs due to insufficient validation and integrity checking of the session cookies in the device's web interface. [2, 3]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain unauthorized administrative access to the WAGO device remotely. This means they can control the device, potentially altering configurations, disrupting operations, or accessing sensitive information. Since no authentication is required to escalate privileges, the risk of compromise is high, leading to significant security impacts on confidentiality, integrity, and availability of the device and its managed systems. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the device's web management interface and inspecting session cookies for unauthorized modifications. Specifically, look for cookies where the 'name' parameter is set to 'admin' and the 'roles' array includes 'admin' privileges, which indicates privilege escalation attempts. A practical approach is to capture HTTP traffic (e.g., using tools like tcpdump or Wireshark) and filter for requests to the device's web interface (such as GET /wbm/ HTTP/1.1). Commands like 'tcpdump -i <interface> -A port 80' or 'tcpdump -i <interface> -A host <device_ip> and port 80' can be used to capture HTTP traffic. Then, inspect the Cookie headers for suspicious modifications. Additionally, web proxy tools like Burp Suite or browser developer tools can be used to analyze and manipulate cookies to verify the vulnerability. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the device's web management interface to trusted users only, implementing network-level controls such as firewalls or VPNs, and monitoring for suspicious cookie modifications. Since the vulnerability arises from insecure session cookie handling, applying any available firmware updates or patches from the vendor is critical. If no patch is available, consider disabling remote web management or using alternative secure management methods until a fix is applied. Additionally, educating users about the risk and monitoring logs for unauthorized access attempts can help reduce exposure. [2, 3]