Share: Email | Twitter

ID

VDE-2025-057

Published

2025-07-07 08:00 (CEST)

Last update

2025-07-03 15:27 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No° Product Name Affected Version(s)
Wago Device Sphere 1.0.0

Summary

During installation, identical certificates are installed across all systems instead of unique ones, which are intended for JWT Token encryption and signing.


CVE ID

CVE-2025-41672

Last Update:

July 7, 2025, 8:17 a.m.

Weakness

Initialization of a Resource with an Insecure Default  (CWE-1188) 

Summary

A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices.

Details

certvde.com 

Impact

The system installs identical JWT signing certificates on all installations instead of generating unique ones. This allows anyone with the shared key to forge valid tokens and impersonate users across all systems, compromising security.

Solution

Remediation

Update to WAGO Device Sphere version 1.0.1. WAGO Device Sphere version 1.0 can't be used after the 30.06.2025.

Reported by

CERT@VDE coordinated with WAGO