OTPulse
FeedAboutContact

WAGO: Vulnerability in WAGO Device Sphere

Act Now10VDE-2025-057Jun 23, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

WAGO Device Sphere versions prior to 1.0.1 install identical certificates on all systems for JWT token encryption and signing instead of generating unique certificates per installation. This allows an attacker with network access to forge authentication tokens and impersonate legitimate users or systems. Version 1.0.0 will cease to function after 30 June 2025.

What this means
What could happen
An attacker with access to the network can forge authentication tokens to impersonate any user or system connected to WAGO Device Sphere, potentially compromising control over WAGO devices and operations across your facility.
Who's at risk
Water utilities, municipalities, and any industrial operation using WAGO PLC systems with the Device Sphere management platform should apply this update immediately to any WAGO Device Sphere 1.0 installations. This affects engineering workstations, control servers, and networked WAGO field devices running Device Sphere.
How it could be exploited
An attacker on the network intercepts or reverse-engineers the shared certificate installed on all systems during WAGO Device Sphere deployment. Using this certificate, the attacker can create fraudulent JWT tokens to authenticate to the Device Sphere platform or connected WAGO devices without valid credentials, gaining unauthorized command execution.
Prerequisites
  • Network access to WAGO Device Sphere systems or devices
  • WAGO Device Sphere version 1.0.0 deployed in the environment
remotely exploitableno authentication requiredlow complexityhigh CVSS score (10.0)affects control system authentication infrastructure
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Software Device Sphere <1.0.1<1.0.11.0.1
Remediation & Mitigation
0/2
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WAGO Device Sphere to version 1.0.1 or later during a scheduled maintenance window
HOTFIXAfter 30 June 2025, WAGO Device Sphere version 1.0 will no longer be usable; plan upgrade completion before this deadline
View full CERT@VDE advisory
API: /api/v1/advisories/905829a7-ad1c-4fc4-a564-b20386ada9f3
WAGO: Vulnerability in WAGO Device Sphere | CVSS 10 - OTPulse