Cyber Posture

CVE-2024-1490

HighRCE

Published: 09 April 2026

Published
09 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 26.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-1490 is a high-severity Code Injection (CWE-94) vulnerability in Certvde (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation through vendor patching directly eliminates the code injection vulnerability in the OpenVPN configuration feature.

CM-7 Least Functionality good match
prevent

Least functionality restricts or prohibits user-defined scripts in OpenVPN, preventing the prerequisite condition for arbitrary shell command execution.

SI-10 Information Input Validation good match
prevent

Information input validation on the web-based management interface blocks malicious code injection into OpenVPN configurations.

NVD Description

An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run…

more

arbitrary commands on the device.

Deeper analysisAI

CVE-2024-1490 is a code injection vulnerability (CWE-94) in the OpenVPN configuration feature accessible via the web-based management interface of WAGO PLC devices. Published on 2026-04-09, it enables an authenticated remote attacker with high privileges to execute arbitrary shell commands on the device, provided that user-defined scripts are permitted in the OpenVPN setup. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.

Exploitation requires an attacker to first gain high-privilege authenticated access remotely over the network. From there, they can manipulate the OpenVPN configuration through the web interface to inject and trigger arbitrary shell commands, achieving full remote code execution on the PLC. This could allow complete device compromise, such as data exfiltration, modification of PLC operations, or further lateral movement in industrial environments.

Mitigation guidance is detailed in advisories including VDE-2024-008 from CERT VDE (https://certvde.com/de/advisories/VDE-2024-008) and the associated CSAF provider JSON (https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2024-008.json). Security practitioners should consult these for patching instructions, configuration hardening, and disabling unnecessary user-defined scripts in OpenVPN.

Details

CWE(s)
CWE-94

Affected Products

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-25001Shared CWE-94
CVE-2026-32573Shared CWE-94
CVE-2025-25943Shared CWE-94
CVE-2025-67113Shared CWE-94
CVE-2025-22906Shared CWE-94
CVE-2025-63421Shared CWE-94
CVE-2025-23209Shared CWE-94
CVE-2026-39440Shared CWE-94
CVE-2026-42238Shared CWE-94
CVE-2026-32276Shared CWE-94

References