WAGO Industrial Switches: Unauthenticated CLI Escape Grants Full Device Compromise
A hidden function in WAGO industrial managed switches allows unauthenticated remote attackers to escape the restricted CLI interface and achieve complete device compromise across six hardware models. This represents a critical supply chain risk for industrial control systems.
CVE References
Affected
WAGO GmbH industrial managed switches contain a critical authentication bypass vulnerability exploitable without credentials via an undocumented CLI function. The vulnerability affects six distinct hardware models running firmware versions released before mid-2026, suggesting the flaw has existed in production environments for an extended period. An attacker with network access to the management interface can invoke this hidden function to escape the restricted command environment and gain unrestricted shell access, resulting in full device compromise.
The technical nature of this flaw is particularly concerning for industrial environments. Managed switches in critical infrastructure networks are frequently assumed to be low-risk assets relative to control servers or HMIs, yet WAGO devices often sit on the network boundary between IT and OT zones. The presence of a hidden function suggests this was either undocumented legacy functionality, a maintenance backdoor, or debug code that shipped in production. The unauthenticated attack surface means any network-adjacent threat actor, from a compromised engineering workstation to an insider with access to a building's data closet, can fully compromise the device without requiring credentials or tools.
Affected organisations must treat this as a critical priority. WAGO firmware updates are available for all identified models, but the heterogeneous nature of industrial deployments means many installations will not be running the latest firmware. Network segmentation is the primary interim control: restricting management interface access via firewall rules or dedicated management networks will prevent exploitation. Organisations should inventory WAGO switch deployments immediately and cross-reference against the affected hardware models and firmware versions listed in the CISA advisory.
The broader implication is that embedded network infrastructure in industrial environments often receives less scrutiny than applications or servers, yet can serve as a pivot point for lateral movement or network traffic manipulation. This advisory should prompt a systematic review of management interfaces across all network infrastructure vendors in critical systems, not merely WAGO devices. Educational institutions and manufacturing environments with legacy WAGO deployments are likely to be most affected given their maintenance cycles and budget constraints.
Sources