Skip to main content
RuntimeRebel
root@rebel:~$ cd /news/threats/cve-2026-3587-wago-switches-cli-escape-leads-to-full-device-compromise_
[TIMESTAMP: 2026-03-26 16:39 UTC] [AUTHOR: Runtime Rebel Intel] [SEVERITY: CRITICAL]

CVE-2026-3587: WAGO Switches CLI Escape Leads to Full Device Compromise

CRITICAL Vulnerabilities #CVE-2026-3587#WAGO#Industrial Managed Switches
AI-Assisted Analysis
READ_TIME: 5 min read
// executive briefing tl;dr
  • [01] Immediate impact: Unauthenticated remote attackers can fully compromise WAGO Industrial Managed Switches, posing a critical risk to operational technology in vital infrastructure sectors.
  • [02] Affected systems: Multiple WAGO Industrial and Lean Managed Switches running firmware versions prior to specified patched releases are vulnerable.
  • [03] Remediation: Immediately update all affected WAGO Managed Switches to the latest patched firmware versions.

Critical Vulnerability in WAGO Industrial Managed Switches (CVE-2026-3587)

An unauthenticated remote attacker can exploit a hidden function in the CLI prompt of WAGO Industrial Managed Switches to escape the restricted interface. This critical flaw, identified as CVE-2026-3587, carries a CVSS v3 base score of 10.0, indicating the highest severity. Successful exploitation leads to full compromise of the device, posing severe risks to operational technology (OT) environments, particularly within critical infrastructure sectors such as Commercial Facilities, Critical Manufacturing, Energy, and Transportation Systems. This advisory highlights the urgent need for immediate remediation to prevent potential disruption and unauthorized access. According to CISA’s advisory ICSA-26-085-01, this vulnerability could enable attackers to gain complete control over affected industrial network components, underscoring the necessity for security professionals to understand the implications and implement robust defense strategies.

Technical Analysis: Unauthenticated Remote CLI Escape Vulnerability

The core of CVE-2026-3587 lies in a “hidden functionality” (CWE-912) present within the command-line interface (CLI) of affected WAGO Industrial Managed Switches. An attacker, without needing any prior authentication, can leverage this hidden function to bypass the intended restricted CLI environment. Once the attacker escapes this restricted shell, they gain arbitrary access to the device’s underlying operating system or administrative functions. This capability effectively grants an unauthenticated remote attacker administrative privileges, leading to full control of the network switch. In an industrial control system (ICS) context, compromise of a managed switch can have far-reaching consequences, including:

  • Network Segmentation Bypass: Attackers could reconfigure network rules, allowing for lateral movement across different operational segments.
  • Data Exfiltration: Sensitive operational data or configuration files could be stolen.
  • Disruption of Operations: Malicious reconfiguration or denial-of-service could directly impact industrial processes, leading to outages or physical damage.
  • Further Attack Vector: A compromised switch can serve as a pivot point for launching additional attacks against connected controllers, sensors, and other OT assets.

The broad impact is exacerbated by the fact that these switches are deployed worldwide in sensitive critical infrastructure environments.

Affected WAGO Industrial Managed Switches and Firmware Versions

A wide range of WAGO GmbH & Co. KG Industrial Managed Switches are affected by this vulnerability. Organizations must identify and verify all WAGO switches within their environments. The vulnerability impacts firmware versions prior to specific patched versions across numerous hardware models.

Key Affected Product Lines and Firmware Versions (prior to specified fixes):

  • WAGO Firmware versions prior to V1.2.1.S0 (Hardware: 852-1812, 852-1813, 852-1816, 852-1812/010-000, 852-1813/010-000, 852-1816/010-000, 852-1813/010-001)
  • WAGO Firmware versions prior to V1.2.3.S0 (Hardware: 852-1813/000-001)
  • WAGO Firmware versions prior to V1.2.8.S0 (Hardware: 852-303)
  • WAGO Firmware versions prior to V1.2.0.S0 (Hardware: 852-1305, 852-1305/000-001, 852-1505/000-001)
  • WAGO Firmware versions prior to V1.1.9.S0 (Hardware: 852-1505)
  • WAGO Firmware versions prior to V1.0.6.S0 (Hardware: 852-602, 852-603)
  • WAGO Firmware versions prior to V1.2.5.S0 (Hardware: 852-1605)

Organizations should consult the specific remediation details provided by WAGO and CISA to ensure all affected product versions are identified.

Actionable Recommendations: How to Mitigate CVE-2026-3587 WAGO Switches

Given the critical nature and ease of exploitation for this unauthenticated remote CLI escape vulnerability, immediate action is required. Security teams should prioritize the following:

  • Firmware Updates: The primary and most effective mitigation is to update all affected WAGO Industrial Managed Switches to the specified fixed firmware versions. WAGO has released patched firmware versions (e.g., V1.2.1.S1, V1.2.3.S1, V1.2.8.S1, V1.2.0.S1, V1.1.9.S1, V1.0.6.S1, V1.2.5.S1) for the various hardware models. Refer to the WAGO PSIRT advisory VDE-2026-020 for precise firmware version mappings for your specific hardware. This is the most crucial step for securing your WAGO Industrial Managed Switches.

  • Deactivate Remote CLI Access: As an immediate supplementary measure, or where firmware updates cannot be applied instantly, deactivate SSH and Telnet services on affected devices. This restricts CLI access to local connections via RS232, significantly reducing the attack surface for remote exploitation. This is particularly relevant for “Lean Managed Switch” and “Industrial Managed Switch” models detailed in the advisory.

  • Network Segmentation: Reinforce existing network segmentation strategies. Ensure that control system networks are isolated from business networks and that WAGO switches are not directly exposed to the internet. This reduces the likelihood of remote attackers reaching these devices.

  • Secure Remote Access: If remote access to these devices is necessary, implement and enforce more secure methods such as Virtual Private Networks (VPNs). Ensure VPNs themselves are updated to the latest versions and configured with strong authentication, as their security is only as strong as the connected endpoints.

  • Defense-in-Depth Strategies: Implement a comprehensive defense-in-depth approach for ICS environments. This includes robust firewall rules, intrusion detection systems, and continuous monitoring to detect unusual activity.

    • Minimize network exposure for all control system devices.
    • Perform regular impact analyses and risk assessments before deploying any defensive measures.
    • Educate personnel on avoiding phishing and social engineering attacks that could lead to initial network breaches.

Organizations observing suspected malicious activity related to this vulnerability should follow established internal procedures and report findings to CISA or relevant national CERTs for tracking and correlation. While no public exploitation specifically targeting this vulnerability has been reported to CISA at this time, the critical CVSS score necessitates prompt and thorough remediation.

Advertisement

#CVE-2026-3587 #WAGO #Industrial Managed Switches #ICS #Operational Technology #Hidden Functionality #Unauthenticated Remote #Firmware Vulnerability
X/Twitter LinkedIn Reddit HN
← Back to Articles