WAGO: Vulnerabilities in WAGO Industrial-Managed Switches

Plan PatchCVSS 9.8VDE-2025-095Dec 10, 2025

WAGOManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Two remote stack buffer overflow vulnerabilities exist in WAGO Industrial-Managed-Switches (models 0852-1322 and 0852-1328, firmware versions 01.00 through 02.63). The vulnerabilities are caused by unsafe input handling in custom HTTP request parsing functions within the lighttpd binary. The affected binary lacks modern security mitigations (Position Independent Executable and Relocation Read-Only). An attacker can send a malicious HTTP request to trigger memory corruption and potentially execute arbitrary code on the switch with full system privileges.

What this means

What could happen

An attacker on the network could overflow memory in the switch's web interface, potentially executing arbitrary code and gaining control of the switch. This could allow them to interrupt network connectivity for critical plant systems or pivot further into your operations network.

Who's at risk

Manufacturing plants and utilities using WAGO Industrial-Managed-Switches models 0852-1322 and 0852-1328 for network connectivity are affected. This includes any site where these switches are used to connect control devices, sensors, or communication between plant areas.

How it could be exploited

An attacker sends a specially crafted HTTP request to the switch's web interface (port 80 or similar). The lighttpd HTTP parser does not properly validate input length and writes beyond allocated buffer space. This overflow can overwrite memory containing executable code, allowing the attacker to execute commands on the switch.

Prerequisites

Network access to the switch's HTTP interface (typically port 80)
No authentication required

remotely exploitableno authentication requiredlow complexityaffects network infrastructure (can disrupt control operations)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Industrial-Managed-Switches 0852-1322≥ 01.00, < 02.6402.64

Industrial-Managed-Switches 0852-1328≥ 01.00, < 02.6402.64

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the switch's web interface using firewall rules; only allow management traffic from trusted engineering workstations or networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Industrial-Managed-Switches 0852-1322

HOTFIXUpdate Industrial-Managed-Switches 0852-1322 and 0852-1328 firmware to version 02.64 or later

Long-term hardening

0/1

HARDENINGSegment the industrial switch to a dedicated management VLAN separate from plant control network traffic

CVEs (2)

CVE-2025-41732 CVE-2025-41730

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3bf1cd79-8bac-48f8-b7b8-0bcc8a45138f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.