CVE-2025-25264: CWE-942 Permissive Cross-domain Policy with Untrusted Domains in WAGO CC100 0751-9x01
An unauthenticated remote attacker can take advantage of the current overly permissive CORS policy to gain access and read the responses, potentially exposing sensitive data or enabling further attacks.
AI Analysis
Technical Summary
CVE-2025-25264 is a high-severity vulnerability affecting the WAGO CC100 0751-9x01 product, specifically related to an overly permissive Cross-Origin Resource Sharing (CORS) policy. The vulnerability is classified under CWE-942, which pertains to permissive cross-domain policies that allow untrusted domains to access resources. In this case, the device's CORS configuration does not properly restrict which external domains can interact with it, enabling an unauthenticated remote attacker to exploit this misconfiguration. By leveraging the permissive CORS policy, the attacker can issue cross-origin requests and read sensitive responses from the device, potentially exposing confidential information or enabling further attack vectors such as session hijacking, data exfiltration, or manipulation of device behavior. The vulnerability requires no user interaction and no authentication, making it easier to exploit remotely over the network. The CVSS 3.1 score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. Although no known exploits have been reported in the wild yet, the nature of the vulnerability and the affected product's role in industrial automation and control systems (ICS) make it a significant risk. The lack of available patches at the time of publication further increases the urgency for mitigation and risk management.
Potential Impact
For European organizations, especially those operating in industrial automation, manufacturing, energy, and critical infrastructure sectors, this vulnerability poses a serious threat. The WAGO CC100 0751-9x01 is commonly used in programmable logic controllers (PLCs) and automation controllers, which are integral to operational technology (OT) environments. Exploitation could lead to unauthorized disclosure of sensitive operational data, manipulation of control commands, and disruption of industrial processes. This can result in operational downtime, safety hazards, financial losses, and damage to reputation. Given the interconnected nature of modern industrial networks and the increasing convergence of IT and OT, a successful attack exploiting this vulnerability could also serve as a foothold for lateral movement and more extensive cyberattacks. European organizations with critical infrastructure components relying on WAGO devices may face regulatory scrutiny under frameworks such as NIS2 and GDPR if sensitive data is compromised or service availability is impacted.
Mitigation Recommendations
1. Immediate network segmentation: Isolate WAGO CC100 0751-9x01 devices from general IT networks and restrict access to trusted management networks only. 2. Implement strict firewall rules to limit inbound and outbound traffic to and from these devices, allowing only necessary protocols and IP addresses. 3. Monitor network traffic for unusual cross-origin requests or data flows that could indicate exploitation attempts. 4. Disable or restrict CORS policies on the device if configurable, or apply web application firewalls (WAFs) capable of enforcing domain restrictions on HTTP headers. 5. Engage with WAGO support and subscribe to their security advisories for timely patches or firmware updates addressing this vulnerability. 6. Conduct regular security assessments and penetration tests focusing on OT environments to detect similar misconfigurations. 7. Employ intrusion detection systems (IDS) tailored for OT to detect anomalous behavior related to this vulnerability. 8. Train OT personnel on cybersecurity best practices and incident response specific to ICS vulnerabilities. These steps go beyond generic advice by focusing on OT-specific controls and proactive monitoring tailored to the affected product and environment.
Affected Countries
Germany, France, Italy, Netherlands, Belgium, Poland, Czech Republic, Austria, Switzerland, Spain
CVE-2025-25264: CWE-942 Permissive Cross-domain Policy with Untrusted Domains in WAGO CC100 0751-9x01
Description
An unauthenticated remote attacker can take advantage of the current overly permissive CORS policy to gain access and read the responses, potentially exposing sensitive data or enabling further attacks.
AI-Powered Analysis
Technical Analysis
CVE-2025-25264 is a high-severity vulnerability affecting the WAGO CC100 0751-9x01 product, specifically related to an overly permissive Cross-Origin Resource Sharing (CORS) policy. The vulnerability is classified under CWE-942, which pertains to permissive cross-domain policies that allow untrusted domains to access resources. In this case, the device's CORS configuration does not properly restrict which external domains can interact with it, enabling an unauthenticated remote attacker to exploit this misconfiguration. By leveraging the permissive CORS policy, the attacker can issue cross-origin requests and read sensitive responses from the device, potentially exposing confidential information or enabling further attack vectors such as session hijacking, data exfiltration, or manipulation of device behavior. The vulnerability requires no user interaction and no authentication, making it easier to exploit remotely over the network. The CVSS 3.1 score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. Although no known exploits have been reported in the wild yet, the nature of the vulnerability and the affected product's role in industrial automation and control systems (ICS) make it a significant risk. The lack of available patches at the time of publication further increases the urgency for mitigation and risk management.
Potential Impact
For European organizations, especially those operating in industrial automation, manufacturing, energy, and critical infrastructure sectors, this vulnerability poses a serious threat. The WAGO CC100 0751-9x01 is commonly used in programmable logic controllers (PLCs) and automation controllers, which are integral to operational technology (OT) environments. Exploitation could lead to unauthorized disclosure of sensitive operational data, manipulation of control commands, and disruption of industrial processes. This can result in operational downtime, safety hazards, financial losses, and damage to reputation. Given the interconnected nature of modern industrial networks and the increasing convergence of IT and OT, a successful attack exploiting this vulnerability could also serve as a foothold for lateral movement and more extensive cyberattacks. European organizations with critical infrastructure components relying on WAGO devices may face regulatory scrutiny under frameworks such as NIS2 and GDPR if sensitive data is compromised or service availability is impacted.
Mitigation Recommendations
1. Immediate network segmentation: Isolate WAGO CC100 0751-9x01 devices from general IT networks and restrict access to trusted management networks only. 2. Implement strict firewall rules to limit inbound and outbound traffic to and from these devices, allowing only necessary protocols and IP addresses. 3. Monitor network traffic for unusual cross-origin requests or data flows that could indicate exploitation attempts. 4. Disable or restrict CORS policies on the device if configurable, or apply web application firewalls (WAFs) capable of enforcing domain restrictions on HTTP headers. 5. Engage with WAGO support and subscribe to their security advisories for timely patches or firmware updates addressing this vulnerability. 6. Conduct regular security assessments and penetration tests focusing on OT environments to detect similar misconfigurations. 7. Employ intrusion detection systems (IDS) tailored for OT to detect anomalous behavior related to this vulnerability. 8. Train OT personnel on cybersecurity best practices and incident response specific to ICS vulnerabilities. These steps go beyond generic advice by focusing on OT-specific controls and proactive monitoring tailored to the affected product and environment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- CERTVDE
- Date Reserved
- 2025-02-06T12:30:08.317Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 684fec2ca8c921274383f273
Added to database: 6/16/2025, 10:04:28 AM
Last enriched: 6/16/2025, 10:19:49 AM
Last updated: 8/13/2025, 1:44:45 AM
Views: 20
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.