OTPulse

WAGO GmbH & Co. KG Industrial Managed Switches

Plan PatchCVSS 10ICS-CERT ICSA-26-085-01Mar 23, 2026
WAGOManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability exists in WAGO Lean Managed Switches (852-1812, 852-1813, 852-1816) and Industrial Managed Switches (852-303, 852-1305, 852-1505, 852-602, 852-603, 852-1605) that allows an unauthenticated attacker on the network to fully compromise the device through an undocumented function. The vulnerability requires no credentials and allows arbitrary command execution with full device privileges, enabling the attacker to read/modify network traffic, disable switch functions, or pivot to attack connected control systems.

What this means
What could happen
An attacker with network access can completely compromise a WAGO managed switch without authentication, gaining the ability to read/modify network traffic, disable the switch, or use it as a pivot point to attack connected equipment on the production network.
Who's at risk
Manufacturing facilities and utilities operating WAGO Lean Managed Switches (852-1812, 852-1813, 852-1816) and Industrial Managed Switches (852-303, 852-1305, 852-1505, 852-602, 852-603, 852-1605) in production networks should review inventory immediately. These switches are commonly deployed in manufacturing automation, power distribution, and utility environments where they provide network backbone connectivity for PLCs, sensors, and control systems.
How it could be exploited
An unauthenticated attacker on the network sends a crafted request to an undocumented function on the switch. The function does not require authentication and allows the attacker to execute commands on the device with full privileges, leading to complete device takeover.
Prerequisites
  • Network access to the WAGO managed switch (usually on the OT network)
  • No credentials required
  • WAGO switch firmware older than the patched versions listed in the advisory
remotely exploitableno authentication requiredlow complexitycritical CVSS 10.0can fully compromise network backbone devicepotential to disrupt all connected equipment
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (32)
16 with fix16 pending
ProductAffected VersionsFix Status
Lean Managed Switch 852-1812< V1.2.1.S0No fix yet
Lean Managed Switch 852-1813< V1.2.1.S0No fix yet
Lean Managed Switch 852-1813/000-001< V1.2.3.S0No fix yet
Lean Managed Switch 852-1816< V1.2.1.S0No fix yet
Industrial Managed Switch 852-303< V1.2.8.S0No fix yet
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDDisable SSH and Telnet on all affected WAGO switches immediately to block remote command-line access
HARDENINGRestrict network access to WAGO switch management ports to authorized engineering workstations and control network only
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WAGO Lean Managed Switches 852-1812, 852-1813, 852-1816 (and their variants with suffixes /010-000 and /010-001) to firmware version V1.2.1.S1 or later
HOTFIXUpdate WAGO Industrial Managed Switches 852-303, 852-1305, 852-1505, 852-602, 852-603, 852-1605 (and variants with /000-001 or /010-000 suffixes) to the specified fixed firmware versions
View full CISA ICS-CERT advisory
API: /api/v1/advisories/6d0fa2b0-03a8-4f7f-aa2c-e75e362bac8e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

WAGO GmbH & Co. KG Industrial Managed Switches | CVSS 10 - OTPulse