VDE-2025-057 | CERT@VDE

2025-07-07 08:00 (CEST) VDE-2025-057

WAGO: Vulnerability in WAGO Device Sphere

Share: Email | Twitter

ID

VDE-2025-057

Published

2025-07-07 08:00 (CEST)

Last update

2025-07-03 15:27 (CEST)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	Wago Device Sphere	1.0.0

Summary

During installation, identical certificates are installed across all systems instead of unique ones, which are intended for JWT Token encryption and signing.

CVE ID

CVE-2025-41672

Last Update:

July 7, 2025, 8:17 a.m.

Severity

10 (CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H)

Weakness

Initialization of a Resource with an Insecure Default (CWE-1188)

Summary

A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices.

Details

certvde.com

Impact

The system installs identical JWT signing certificates on all installations instead of generating unique ones. This allows anyone with the shared key to forge valid tokens and impersonate users across all systems, compromising security.

Solution

Remediation

Update to WAGO Device Sphere version 1.0.1. WAGO Device Sphere version 1.0 can't be used after the 30.06.2025.

Reported by

CERT@VDE coordinated with WAGO