---
title: "Critical Flaw in WAGO Industrial Switches Allows Full Device Takeover"
short_title: "WAGO switches critical CLI escape flaw"
description: "Unauthenticated attackers can exploit a hidden CLI function in WAGO industrial managed switches to bypass restrictions and compromise devices. Patch now to secure critical infrastructure."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [wago, cve-2026-3587, industrial-security, cli-escape, critical-vulnerability]
score: 0.95
cve_ids: [CVE-2026-3587]
---
TL;DR
A critical vulnerability (CVE-2026-3587) in WAGO industrial managed switches allows unauthenticated remote attackers to exploit a hidden CLI function, bypass security restrictions, and gain full control of affected devices. With a CVSS score of 10, this flaw poses a severe risk to critical infrastructure sectors, including energy, manufacturing, and transportation. Immediate patching or mitigation steps are essential to prevent exploitation.
---
Main Content
Introduction
Industrial networks rely on robust and secure managed switches to ensure operational continuity and safety. However, a newly disclosed critical vulnerability in WAGO GmbH & Co. KG Industrial Managed Switches threatens the security of organizations across multiple sectors. Tracked as CVE-2026-3587, this flaw enables unauthenticated remote attackers to exploit a hidden function in the Command Line Interface (CLI), escape the restricted environment, and compromise the device entirely. With a CVSS score of 10, this vulnerability demands immediate attention from security teams and infrastructure operators.
---
Key Points
- Critical Vulnerability: CVE-2026-3587 allows unauthenticated remote attackers to bypass security restrictions and gain full control of WAGO industrial managed switches.
- Affected Systems: Multiple firmware versions across 18 WAGO hardware models are vulnerable, including Lean Managed Switches and Industrial Managed Switches.
- High-Risk Sectors: The flaw impacts critical infrastructure, including energy, manufacturing, transportation, and commercial facilities.
- Global Deployment: WAGO switches are deployed worldwide, increasing the potential attack surface.
- Mitigation Available: WAGO has released patched firmware versions and provided workarounds to reduce exposure.
---
Technical Details
#### Vulnerability Overview
CVE-2026-3587 is classified as a hidden functionality vulnerability (CWE-912). The flaw resides in the CLI prompt of WAGO industrial managed switches, where an undocumented function allows attackers to escape the restricted interface without authentication. Once exploited, attackers can execute arbitrary commands, modify configurations, and gain full administrative control over the device.
#### CVSS Metrics
The vulnerability has been assigned the highest possible severity score of 10.0 under CVSS v3.1. The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H indicates:
- Attack Vector (AV:N): Exploitable remotely over the network.
- Attack Complexity (AC:L): Low complexity; no special conditions required.
- Privileges Required (PR:N): No authentication needed.
- User Interaction (UI:N): No user interaction required.
- Scope (S:C): Exploitation affects components beyond the vulnerable system.
- Impact: High on confidentiality, integrity, and availability.
---
Affected Systems
The following WAGO firmware versions and hardware models are affected by CVE-2026-3587:
#### Lean Managed Switches
- 852-1812: Firmware versions prior to V1.2.1.S0
- 852-1813: Firmware versions prior to V1.2.1.S0 and V1.2.3.S0 (for 852-1813/000-001)
- 852-1816: Firmware versions prior to V1.2.1.S0
- 852-1812/010-000: Firmware versions prior to V1.2.1.S0
- 852-1813/010-000: Firmware versions prior to V1.2.1.S0
- 852-1816/010-000: Firmware versions prior to V1.2.1.S0
- 852-1813/010-001: Firmware versions prior to V1.2.1.S1
#### Industrial Managed Switches
- 852-303: Firmware versions prior to V1.2.8.S0
- 852-1305: Firmware versions prior to V1.2.0.S0
- 852-1305/000-001: Firmware versions prior to V1.2.0.S0
- 852-1505/000-001: Firmware versions prior to V1.2.0.S0
- 852-1505: Firmware versions prior to V1.1.9.S0
- 852-602: Firmware versions prior to V1.0.6.S0
- 852-603: Firmware versions prior to V1.0.6.S0
- 852-1605: Firmware versions prior to V1.2.5.S0
---
Impact Assessment
#### Potential Consequences
The exploitation of CVE-2026-3587 can lead to severe operational and security risks, including:
- Unauthorized Access: Attackers can gain full control of affected switches, enabling them to monitor, manipulate, or disrupt network traffic.
- Lateral Movement: Compromised switches can serve as a gateway for attackers to move laterally within industrial networks, targeting other critical systems.
- Operational Disruption: Malicious actors can disable or misconfigure switches, leading to downtime, production halts, or safety incidents in industrial environments.
- Data Theft or Manipulation: Sensitive data transmitted through affected switches may be intercepted, altered, or exfiltrated.
#### Targeted Sectors
The vulnerability poses a significant threat to organizations in the following critical infrastructure sectors:
- Energy: Power plants, electrical grids, and renewable energy facilities.
- Critical Manufacturing: Automotive, aerospace, and industrial manufacturing.
- Transportation Systems: Railways, airports, and smart traffic management.
- Commercial Facilities: Large-scale commercial buildings and data centers.
---
Mitigation Steps
WAGO has released patched firmware versions and provided workarounds to mitigate the risk of exploitation. Organizations using affected switches should take the following steps:
#### 1. Apply Firmware Updates
Update affected devices to the latest firmware versions:
- Lean Managed Switches:
- 852-1812: Firmware V1.2.1.S1
- 852-1813: Firmware V1.2.1.S1 or V1.2.3.S1 (for 852-1813/000-001)
- 852-1816: Firmware V1.2.1.S1
- 852-1812/010-000: Firmware V1.2.1.S1
- 852-1813/010-000: Firmware V1.2.1.S1
- 852-1816/010-000: Firmware V1.2.1.S1
- 852-1813/010-001: Firmware V1.2.1.S1
- Industrial Managed Switches:
- 852-303: Firmware V1.2.8.S1
- 852-1305: Firmware V1.2.0.S1
- 852-1305/000-001: Firmware V1.2.0.S1
- 852-1505/000-001: Firmware V1.2.0.S1
- 852-1505: Firmware V1.1.9.S1
- 852-602: Firmware V1.0.6.S1
- 852-603: Firmware V1.0.6.S1
- 852-1605: Firmware V1.2.5.S1
#### 2. Disable Remote Access
- Lean Managed Switches (852-1812, 852-1813, 852-1816, and variants):
- Deactivate SSH and Telnet to eliminate the remote attack vector.
- Industrial Managed Switches (852-303, 852-1305, 852-1505, 852-602, 852-603, 852-1605):
- Deactivate SSH and Telnet to ensure the CLI is only accessible locally via RS232.
#### 3. Network Segmentation
- Isolate affected switches from business networks using firewalls and VLANs.
- Minimize network exposure for all control system devices to reduce the risk of remote exploitation.
#### 4. Monitor for Suspicious Activity
- Deploy intrusion detection systems (IDS) and network monitoring tools to detect unusual activity.
- Regularly review logs and access records for signs of unauthorized access.
#### 5. Follow CISA Recommendations
- Implement defensive measures outlined by CISA, including:
- Using secure remote access methods like VPNs (ensure they are updated to the latest version).
- Performing risk assessments before deploying mitigations.
- Referring to CISA’s ICS security best practices for additional guidance.
---
Conclusion
The discovery of CVE-2026-3587 in WAGO industrial managed switches underscores the critical importance of securing industrial control systems (ICS). With a CVSS score of 10, this vulnerability presents a severe risk to organizations in energy, manufacturing, transportation, and commercial facilities. Attackers can exploit this flaw to gain full control of affected devices, leading to operational disruptions, data breaches, and safety incidents.
Organizations using WAGO switches must act immediately by applying the latest firmware updates, disabling remote access, and implementing network segmentation. Proactive measures, such as monitoring for suspicious activity and following CISA’s recommended practices, are essential to mitigate risks and protect critical infrastructure.
For more information, refer to WAGO’s official security advisory and CISA’s guidelines.
---
References
[^1]: CISA. "[ICSA-26-085-01 WAGO GmbH & Co. KG Industrial Managed Switches](https://www.cisa.gov/news-events/ics-advisories/icsa-26-085-01)". Retrieved 2024-10-02.
[^2]: WAGO. "[PSIRT Advisory VDE-2026-020](https://www.wago.com/de-en/automation-technology/psirt)". Retrieved 2024-10-02.
[^3]: CERT@VDE. "[VDE-2026-020: WAGO Vulnerability in Managed Switches](https://certvde.com/en/advisories/VDE-2026-020)". Retrieved 2024-10-02.
[^4]: MITRE. "[CWE-912: Hidden Functionality](https://cwe.mitre.org/data/definitions/912.html)". Retrieved 2024-10-02.