Article No° | Product Name | Affected Version(s) |
---|---|---|
Wago Device Sphere | 1.0.0 |
During installation, identical certificates are installed across all systems instead of unique ones, which are intended for JWT Token encryption and signing.
A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices.
The system installs identical JWT signing certificates on all installations instead of generating unique ones. This allows anyone with the shared key to forge valid tokens and impersonate users across all systems, compromising security.
Remediation
Update to WAGO Device Sphere version 1.0.1. WAGO Device Sphere version 1.0 can't be used after the 30.06.2025.
CERT@VDE coordinated with WAGO