VDE-2025-057
Last update
07.07.2025 08:15
Published at
23.06.2025 12:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2025-057
CSAF Document
Summary
During installation, identical certificates are installed across all systems instead of unique ones, which are intended for JWT Token encryption and signing.
Impact
The system installs identical JWT signing certificates on all installations instead of generating unique ones. This allows anyone with the shared key to forge valid tokens and impersonate users across all systems, compromising security.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| WAGO Software Device Sphere <1.0.1 | WAGO Software Device Sphere <1.0.1 |
Vulnerabilities
Expand / Collapse all
Published
22.09.2025 14:57
Severity
Weakness
Initialization of a Resource with an Insecure Default (CWE-1188)
Summary
A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices.
References
Remediation
Update to WAGO Device Sphere version 1.0.1. WAGO Device Sphere version 1.0 can't be used after the 30.06.2025.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 12.06.2025 09:00 | Initial release. |
| 1.0.1 | 07.07.2025 08:15 | fixed typo in CVE-ID |