WAGO: Vulnerabilities in WAGO Industrial-Managed Switches

Act Now9.8VDE-2025-095Dec 10, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Two stack buffer overflow vulnerabilities exist in WAGO Industrial-Managed-Switches models 0852-1322 and 0852-1328 (firmware versions 01.00 through 02.63). The vulnerabilities originate from unsafe input handling in custom HTTP request parsing within the lighttpd binary. The affected binary lacks modern security mitigations (PIE and RELRO), increasing exploitation risk. An attacker with network access can send a specially crafted HTTP request to trigger the overflow and potentially execute arbitrary code on the device.

What this means

What could happen

An attacker with network access to the switch can crash it or execute arbitrary code that could alter network traffic routing, drop critical process data, or interrupt communication between plant controllers and field devices.

Who's at risk

Manufacturing plants and utilities using WAGO Industrial-Managed-Switches 0852-1322 or 0852-1328 for network switching and management. These devices are critical to plant communication infrastructure and control network reliability.

How it could be exploited

An attacker sends a malicious HTTP request to the switch's web interface. The vulnerable HTTP parsing code in lighttpd does not properly validate input length, causing a stack buffer overflow. This allows the attacker to overwrite memory and execute arbitrary code on the switch, gaining control of the network device.

Prerequisites

Network access to the switch's HTTP port (port 80 or 443)
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects network infrastructure critical to operations

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Industrial-Managed-Switches 0852-1322≥ 01.00, < 02.6402.64

Industrial-Managed-Switches 0852-1328≥ 01.00, < 02.6402.64

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the switch's HTTP/HTTPS ports to only authorized engineering workstations and management networks using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Industrial-Managed-Switches 0852-1322

HOTFIXUpdate Industrial-Managed-Switches 0852-1322 to firmware version 02.64 or later

Industrial-Managed-Switches 0852-1328

HOTFIXUpdate Industrial-Managed-Switches 0852-1328 to firmware version 02.64 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate WAGO switches on a protected OT network segment separate from untrusted networks

CVEs (2)

CVE-2025-41730 CVE-2025-41732

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3bf1cd79-8bac-48f8-b7b8-0bcc8a45138f