Critical Remote Code Execution in WAGO Industrial Managed Switches (CVE‑2026‑3587) Threatens OT Environments
What It Is – A hidden function in the command‑line interface of WAGO GmbH & Co. KG Industrial Managed Switches can be invoked without authentication, allowing an attacker to escape the restricted shell and obtain full control of the device.
Exploitability – The vulnerability is unauthenticated, remote‑network reachable, and has been confirmed in the wild by CISA. No public PoC is released, but the attack vector is trivial for a skilled adversary. CVSS v3.1 has not yet been published; the impact is assessed as Critical.
Affected Products – All WAGO firmware versions prior to the patches listed below are vulnerable:
- WAGO_Hardware_852‑1812, 852‑1813, 852‑1813/000‑001, 852‑1816, 852‑303, 852‑1305, 852‑1305/000‑001, 852‑1505/000‑001, 852‑1505, 852‑602, 852‑603, 852‑1605, 852‑1812/010‑000, 852‑1813/010‑000 (see CISA advisory for full matrix).
TPRM Impact – Compromise of these switches can lead to OT network disruption, manipulation of industrial processes, and downstream effects on manufacturers, utilities, and logistics providers that rely on WAGO hardware as a third‑party component.
Recommended Actions –
- Patch Immediately – Deploy the latest firmware (≥ V1.2.1.S0, V1.2.3.S0, V1.2.8.S0, V1.2.5.S0 as applicable).
- Inventory – Identify all WAGO managed switches in your environment and map their firmware versions.
- Network Segmentation – Isolate OT switches from corporate and internet‑facing networks.
- Monitor – Enable logging of CLI access attempts and watch for anomalous commands.
- Vendor Coordination – Confirm remediation timelines with WAGO and update contractual security clauses.
Source: CISA Advisory – ICS‑A‑26‑085‑01