WAGO: Multiple Vulnerabilities in WAGO VC Hub
Act Now9.8VDE-2026-021Mar 30, 2026
WAGO
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The WAGO Visualization And Control Hub versions prior to 5.0.1 contain multiple vulnerabilities in the Magick.NET-Q16-AnyCPU image processing component used to handle user-uploaded images and generate thumbnails. These vulnerabilities span memory safety issues (buffer overflow, out-of-bounds access), resource exhaustion, integer overflow, and code injection flaws. While image upload is restricted to authenticated users with Design Project Permission, successful exploitation could lead to remote code execution or denial of service affecting the hub's availability and integrity.
What this means
What could happen
An authenticated attacker with design project permissions could exploit image processing vulnerabilities in the VC Hub to execute arbitrary code or cause the hub to crash, potentially disrupting your visualization and control interface and any connected automation equipment.
Who's at risk
This affects organizations running WAGO VC Hub versions before 5.0.1, particularly those using the hub for remote visualization and control of industrial processes, PLCs, and automation equipment in manufacturing, water treatment, and utilities.
How it could be exploited
An attacker with valid design project credentials logs into the VC Hub and uploads a malicious image to the project image library. The VC Hub processes this image using the vulnerable Magick.NET image processing component, triggering code execution or a denial-of-service condition.
Prerequisites
- Valid user credentials with Design Project Permission on the VC Hub
- Network access to the VC Hub web interface
remotely exploitableaffects control system interfacehigh CVSS score (9.8)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Visualization And Control Hub < 5.0.1< 5.0.15.0.1
Visualization And Control Hub 5.0.05.0.05.0.1
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate WAGO Visualization And Control Hub to version 5.0.1 or later
CVEs (45)
CVE-2026-24481CVE-2026-24484CVE-2026-24485CVE-2026-25576CVE-2026-25637CVE-2026-25638CVE-2026-25794CVE-2026-25795CVE-2026-25796CVE-2026-25797CVE-2026-25798CVE-2026-25799CVE-2026-25897CVE-2026-25898CVE-2026-25965CVE-2026-25966CVE-2026-25967CVE-2026-25969CVE-2026-25983CVE-2026-25985CVE-2026-25987CVE-2026-25988CVE-2026-25989CVE-2026-26066CVE-2026-26283CVE-2026-26983CVE-2026-27798CVE-2026-27799CVE-2026-28692CVE-2026-31853CVE-2026-30883CVE-2026-28689CVE-2026-28493CVE-2026-28686CVE-2026-28688CVE-2026-30929CVE-2026-28691CVE-2026-30931CVE-2026-30936CVE-2026-30937CVE-2026-28687CVE-2026-28690CVE-2026-28693CVE-2026-30935CVE-2026-28494
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0fc4fb87-fc2a-426c-a00c-edaab5522f54