WAGO GmbH & Co. KG Industrial Managed Switches

Act Now10ICS-CERT ICSA-26-085-01Mar 23, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An undocumented function in WAGO Lean and Industrial Managed Switches allows unauthenticated remote attackers to fully compromise affected devices. The vulnerability affects multiple switch models across firmware versions. WAGO has released patched firmware versions; however, some currently deployed versions (those at the latest version level such as V1.2.1.S0) do not have an available fix and require immediate mitigation through disabling remote access protocols.

What this means

What could happen

An unauthenticated attacker on the network could fully compromise a WAGO managed switch, allowing them to intercept or redirect network traffic, isolate critical equipment, or cause production downtime by disrupting communication between plant systems.

Who's at risk

Manufacturers and utilities operating WAGO Lean Managed Switches (models 852-1812, 852-1813, 852-1816) and Industrial Managed Switches (models 852-303, 852-1305, 852-1505, 852-602, 852-603, 852-1605) in production networks. These devices are critical for managing traffic between PLCs, I/O modules, and control systems.

How it could be exploited

An attacker with network access to a WAGO managed switch can send an undocumented function call over the network without credentials to achieve remote code execution and gain administrative control of the device.

Prerequisites

Network access to the affected WAGO switch
No credentials required

Remotely exploitableNo authentication requiredLow complexityNo patch available for some latest versionsCritical CVSS score (10.0)Affects network infrastructure affecting all downstream systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (32)

16 with fix16 pending

ProductAffected VersionsFix Status

Lean Managed Switch 852-1812< V1.2.1.S0No fix yet

Lean Managed Switch 852-1813< V1.2.1.S0No fix yet

Lean Managed Switch 852-1813/000-001< V1.2.3.S0No fix yet

Lean Managed Switch 852-1816< V1.2.1.S0No fix yet

Industrial Managed Switch 852-303< V1.2.8.S0No fix yet

Remediation & Mitigation

0/2

Do now

0/1

WORKAROUNDDisable SSH and Telnet access on all affected WAGO switches to restrict CLI access to local RS232 serial connections only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all WAGO Lean and Industrial Managed Switches to the specified firmware version (see product list: v1.2.1.S1, v1.2.3.S1, v1.2.8.S1, v1.2.0.S1, v1.1.9.S1, v1.0.6.S1, or v1.2.5.S1 depending on model)

CVEs (1)

CVE-2026-3587

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6d0fa2b0-03a8-4f7f-aa2c-e75e362bac8e