OTPulse

WAGO: Vulnerabilities in Device Sphere and Solution Builder

Plan PatchCVSS 9.8VDE-2025-087Sep 24, 2025
WAGO
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Due to missing authentication checks, WAGO Device Sphere (versions before 1.1.0) and WAGO Solution Builder (versions before 2.3.3) allow unauthenticated access to sensitive information. An attacker without credentials can query API endpoints to access configuration data, operational parameters, and potentially stored credentials.

What this means
What could happen
An unauthenticated attacker with network access to WAGO Device Sphere or Solution Builder could access sensitive configuration and operational data without credentials, potentially exposing control system settings, credentials, or process parameters.
Who's at risk
WAGO automation engineers and plant operators who use Device Sphere or Solution Builder for PLC/controller programming and device management. This affects anyone managing WAGO controllers (PLCs, I/O modules, edge devices) that rely on these tools for configuration and maintenance.
How it could be exploited
An attacker sends unauthenticated requests to exposed API or web interface endpoints on Device Sphere or Solution Builder. The missing authentication check allows direct access to information endpoints, returning sensitive data without requiring valid credentials.
Prerequisites
  • Network access to Device Sphere or Solution Builder management interface (typically port 80/443)
  • No authentication credentials required
remotely exploitableno authentication requiredlow complexityaffects control system configuration tools
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Software Device Sphere <1.1.0<1.1.01.1.0
Software Solution Builder <2.3.3<2.3.32.3.3
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGRestrict network access to Device Sphere and Solution Builder management interfaces using firewall rules; allow only from authorized engineering workstations or IT management network segments
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WAGO Device Sphere to version 1.1.0 or later
HOTFIXUpdate WAGO Solution Builder to version 2.3.3 or later
View full CERT@VDE advisory
API: /api/v1/advisories/effae06e-2f21-46af-877c-3187a3a06800

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

WAGO: Vulnerabilities in Device Sphere and Solution Builder | CVSS 9.8 - OTPulse