Back to overview

WAGO: Multiple Vulnerabilities in WAGO Solution Builder and WAGO Device Sphere

VDE-2026-010
Last update
03/30/2026 09:00
Published at
03/30/2026 09:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2026-010
CSAF Document
Download

Summary

Multiple vulnerabilities have been identified in WAGO Solution Builder and WAGO Device Sphere that affect components responsible for authentication and system communication.

Impact

The identified vulnerabilities could enable unauthorized parties to gain access to protected system areas or bypass intended security controls. This may expose sensitive data and reduce overall system trustworthiness if not promptly addressed.

Affected Product(s)

Model no. Product name Affected versions
Device Sphere 1.2.1, vers:generic/<1.2.2
Solution Builder 2.4.1, vers:generic/<2.4.2

Vulnerabilities

Expand / Collapse all

Published
03/30/2026 08:54
Severity
9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Weakness
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') (CWE-444)
Summary

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

References
cve.org | nvd.nist.gov

Published
03/30/2026 08:54
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Improper Filtering of Special Elements (CWE-790)
Summary

An unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their intended scope via path traversal, resulting in exposure of sensitive information.

References
cve.org | nvd.nist.gov

Remediation

Update to WAGO Device Sphere version 1.2.2. and WAGO Solution Builder version 2.4.2

Acknowledgments

WAGO GmbH & Co. KG thanks the following parties for their efforts:

  • CERTVDE for coordination (see https://certvde.com )
  • Marvin Ramsperger from SySS GmbH for reporting

Revision History

Version Date Summary
1.0.0 03/30/2026 09:00 Initial release.