WAGO: Vulnerabilities in Managed Switch

Act Now9.8VDE-2026-004Feb 9, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities exist in WAGO 852-1322 and 852-1328 managed switches, including stack buffer overflows, an authentication bypass, and insecure credential storage in the web-based management interface. These issues are implemented in a modified lighttpd server running custom CGI binaries. Unauthenticated network attackers can exploit these vulnerabilities to achieve remote code execution with full device privileges.

What this means

What could happen

An attacker with network access to the managed switch's web interface could execute arbitrary code on the device, potentially altering network traffic, disrupting communication between your control systems, or intercepting sensitive operational data.

Who's at risk

Manufacturing plants using WAGO Industrial-Managed Switches (models 0852-1322 and 0852-1328) for network backbone or control system connectivity. These devices are typically used in manufacturing networks to connect PLCs, field devices, and supervisory systems. If compromised, an attacker could disrupt communication across the entire control network.

How it could be exploited

An attacker would send a specially crafted HTTP request to the web-based management interface (typically port 80) containing malicious input designed to overflow the buffer in the CGI handler. The lighttpd server processes this input without proper validation, allowing the attacker to overwrite memory and execute arbitrary code directly on the switch with full privileges.

Prerequisites

Network access to the switch's web management interface (default port 80 or configured management port)
The web interface must be reachable from the attacker's location (either local network or exposed to the internet)

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects network backbone/switching infrastructurestack buffer overflow vulnerability

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Industrial-Managed-Switch 0852-1328≤ 2.6402.65

Industrial-Managed-Switch 0852-13282.6402.65

Industrial-Managed-Switch 0852-1322≤ 2.6402.65

Industrial-Managed-Switch 0852-13222.6402.65

Remediation & Mitigation

0/4

Do now

0/3

Industrial-Managed-Switch 0852-1322

HOTFIXUpdate WAGO Industrial-Managed-Switch 0852-1322 to firmware version 02.65 or later

Industrial-Managed-Switch 0852-1328

HOTFIXUpdate WAGO Industrial-Managed-Switch 0852-1328 to firmware version 02.65 or later

All products

WORKAROUNDRestrict network access to the switch management interface to only authorized engineering workstations using a firewall rule or ACL (block port 80/443 from untrusted networks)

Long-term hardening

0/1

HARDENINGSegment the management network: place managed switches on a separate VLAN accessible only to authorized administrative staff

CVEs (4)

CVE-2026-22903 CVE-2026-22904 CVE-2026-22905 CVE-2026-22906

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/50c7f839-9c6c-429c-ad2e-a3736c43d35e