The Undocumented Backdoor: Critical 10.0 CVSS Flaw Hits WAGO Managed Switches
Do Son 
A severe vulnerability has been uncovered in several models of WAGO Managed Switches, potentially leaving industrial networks exposed to complete takeover. The flaw, tracked as CVE-2026-3587, has earned the highest possible risk rating of CVSS 10.0, signaling a critical threat that requires immediate attention from system administrators.
The vulnerability allows an unauthenticated, remote attacker to fully compromise the device by exploiting a “hidden” or undocumented function within the Command Line Interface (CLI).
At the heart of the issue is a breakdown in the switch’s restricted interface. Typically, a CLI prompt for a managed switch is designed to limit users to a specific set of safe commands. However, researchers found an undocumented function that acts as a “backdoor”.
By exploiting this hidden function, an attacker can “escape” the restricted environment. Once outside these boundaries, the attacker gains the ability to execute unauthorized commands, leading to a full system compromise of the affected hardware. Because no authentication is required to trigger this exploit, the barrier to entry for a remote attacker is dangerously low.
WAGOβs managed switches are staples in industrial automation and building technology. A full compromise of these devices could allow an attacker to disrupt network traffic, intercept sensitive data, or pivot to other critical systems on the plant floor.
The vulnerability affects a broad lineup of products, including:
- Industrial Managed Switches: Models 852-303, 852-602, 852-603, 852-1305, 852-1505, and 852-1605.
- Lean Managed Switches: Models 852-1812, 852-1813, and 852-1816 (including various sub-models).
WAGO has moved quickly to release patched firmware to close this undocumented loophole. Users are urged to update their devices to the specified fixed versions as soon as possible.
| Affected Product Line | Fixed Firmware Version |
| Industrial Managed Switch 852-303 |
V1.2.8.S1 |
| Industrial Managed Switch 852-1305 / 1505 |
V1.2.0.S1 |
| Lean Managed Switch 852-1812 / 1813 / 1816 |
V1.2.1.S1 |
| Industrial Managed Switch 852-602 / 603 |
V1.0.6.S1 |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
