Back to overview

WAGO: Vulnerabilities in Managed Switch

VDE-2026-004
Last update
02/09/2026 09:00
Published at
02/09/2026 09:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2026-004
CSAF Document
Download

Summary

Several vulnerabilities have been identified in the WAGO 852‑1328 device's web‑based management interface, which is implemented using a modified lighttpd server and custom CGI binaries. These issues include multiple stack buffer overflows, an authentication bypass, and insecure credential storage.

Impact

Successful exploitation may allow remote attackers to crash the web service, execute arbitrary code, bypass authentication controls, and obtain plaintext administrative credentials.

Affected Product(s)

Model no. Product name Affected versions
0852-1322 0852-1322 Firmware 2.64, Firmware vers:generic/<=2.64
0852-1328 0852-1328 Firmware vers:generic/<=2.64, Firmware 2.64

Vulnerabilities

Expand / Collapse all

Published
02/09/2026 08:38
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Use of Hard-coded Cryptographic Key (CWE-321)
Summary

User credentials are stored using AES‑ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords, especially when combined with the authentication bypass.

References
cve.org | nvd.nist.gov

Published
02/09/2026 08:38
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Stack-based Buffer Overflow (CWE-121)
Summary

Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial‑of‑service condition and possible remote code execution.

References
cve.org | nvd.nist.gov

Published
02/09/2026 08:38
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Stack-based Buffer Overflow (CWE-121)
Summary

An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections.

References
cve.org | nvd.nist.gov

Published
02/09/2026 08:38
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Summary

An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi), gaining unauthorized access to protected CGI endpoints and configuration downloads.

References
cve.org | nvd.nist.gov

Remediation

Please update your devices to the specified fixed firmware version 02.65.

Acknowledgments

WAGO GmbH & Co. KG thanks the following parties for their efforts:

  • CERT@VDE for coordination
  • Diconium for reporting

Revision History

Version Date Summary
1.0.0 02/09/2026 09:00 Release version.