This is the 3rd topic of “OT Hunt”. These topics expose ICS/OT devices that are connected to the internet. The goal is to build an awareness for the ICS community. This kind of research is also a warning message for asset owners and ICS/OT vendors to secure their their assets’ attack surfaces.
The following keywords/dorks I used to search for WAGO on Shodan search engine, please check out my ICS dorks project at GitHub:
Product name: WAGOThis search yielded 41 online WAGO devices. The results also showed “ICS” tag for each device (based on Shodan). In this research I focused on WAGO 750-88x . There are other WAGO products that are tagged as “ICS” in Shodan. I will cover them in the future. The common port for this WAGO PLC is:
44818 TCP/UDPWAGO PLC 750-88x and 750-87x is vulnerable and is listed on US-Cert ICS advisory. There is a risky vulnerability (hard-coded credentials) with a CVSS v3 score of 9.8. This vulnerability allows an attacker to change device settings , lock device access and get an ftp access.
ICSA-19-106-02I found web servers (interfaces) for some of these devices , the interfaces are used for managing WAGO PLC settings and viewing status information. I also found an web interface “StruxureWare” by Schneider Electric that is used for power management.
http://ip-address/wbm/index.php
http://ip-address/plc/webvisu.htm
http://ip-address/login/login.html 
That’s it for this for today’s topic. Stay safe.