WAGO: Vulnerabilities in Managed Switch

Plan PatchCVSS 9.8VDE-2026-004Feb 9, 2026

WAGOManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in the WAGO 852-1328 and 852-1322 managed switches have been identified in the web-based management interface. The issues include stack buffer overflows in CGI handlers, authentication bypass, and insecure credential storage. These allow remote code execution and unauthorized administrative access without credentials, affecting all firmware versions 2.64 and earlier.

What this means

What could happen

An attacker with network access to the web management interface could execute arbitrary code on the switch, potentially disrupting network connectivity to critical industrial equipment or altering switch configurations to intercept and manipulate traffic between control systems.

Who's at risk

Manufacturing facilities and utilities using WAGO Industrial-Managed-Switch models 0852-1328 and 0852-1322 for network connectivity between PLCs, HMIs, and control systems. Any site where these switches handle real-time industrial traffic or provide connectivity to critical production equipment.

How it could be exploited

An attacker on the network sends a specially crafted request to the web management interface (port 80 or 443) triggering a stack buffer overflow in the CGI handler, or exploits the authentication bypass to gain admin access without credentials, then uses that access to run arbitrary commands on the switch.

Prerequisites

Network access to the web management interface (typically port 80/443)
Device running firmware version 2.64 or earlier
No authentication required for certain buffer overflow and bypass vulnerabilities

Remotely exploitableNo authentication required (for some vulnerabilities)Low complexity attackHigh CVSS score (9.8)Affects network infrastructure in control systemsBuffer overflow vulnerabilities

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Industrial-Managed-Switch 0852-1328≤ 2.6402.65

Industrial-Managed-Switch 0852-13282.6402.65

Industrial-Managed-Switch 0852-1322≤ 2.6402.65

Industrial-Managed-Switch 0852-13222.6402.65

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the switch management interface (port 80/443) to authorized engineering and administrative workstations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Industrial-Managed-Switch 0852-1328

HOTFIXUpdate WAGO Industrial-Managed-Switch 0852-1328 and 0852-1322 firmware to version 02.65 or later

Long-term hardening

0/1

HARDENINGPlace the managed switch on a dedicated management VLAN isolated from production control networks

CVEs (4)

CVE-2026-22903 CVE-2026-22904 CVE-2026-22906 CVE-2026-22905

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/50c7f839-9c6c-429c-ad2e-a3736c43d35e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.