WAGO: Bluetooth LE vulnerability in WLAN-ETHERNET-Gateway

An attacker within Bluetooth range could sniff pairing traffic and bypass authentication to pair with the gateway, potentially gaining unauthorized access to the device and the network it connects to.

Transportation operators using WAGO WLAN ETHERNET Gateways for remote gateway connectivity or coordination functions should assess whether Bluetooth LE is actively used in their deployments. This is particularly relevant for transit systems, rail operations, and vehicle fleet management systems that rely on wireless gateways for operational technology communications.

An attacker with physical proximity (Bluetooth LE range, typically 10-100 meters) passively captures the pairing handshake between a legitimate device and the gateway. The sniffed traffic reveals enough information to forge a valid pairing without knowing the original authentication secret, allowing the attacker to connect to the gateway as if they were authorized.