CVE-2025-41672 (CVSS 10): Critical JWT Certificate Flaw in WAGO Device Sphere Allows Full Remote Takeover

A coordinated disclosure by CERT@VDE and WAGO has unveiled a devastating vulnerability—CVE-2025-41672—impacting WAGO’s industrial automation platform Device Sphere. Rated CVSS 10.0, the flaw enables remote, unauthenticated attackers to gain full administrative control over all systems using shared default JWT certificates.

“During installation, identical certificates are installed across all systems instead of unique ones,” the advisory explained, referring to the JWT Token encryption and signing keys used in Device Sphere deployments.

In standard secure architectures, each system should generate a unique signing key for issuing JSON Web Tokens (JWTs), ensuring authentication is tightly scoped and system-specific.

But in WAGO Device Sphere version 1.0:

“The system installs identical JWT signing certificates on all installations… allowing anyone with the shared key to forge valid tokens and impersonate users across all systems,” the advisory stated.

This design flaw essentially grants any attacker who possesses or extracts the shared certificate the ability to generate valid admin-level tokens—without requiring credentials.

WAGO Device Sphere is a centralized platform for managing operational technology (OT) and connected automation devices. A compromise here could mean:

• Remote manipulation of industrial control systems (ICS)
• Network pivoting across OT/IT boundaries
• Installation of malicious firmware or sabotage of control processes

For environments running critical infrastructure, this is not just a theoretical risk—it’s a full-system breach vector.

WAGO has addressed the issue in Device Sphere version 1.0.1, which replaces shared certificates with unique ones generated at install time.

“WAGO Device Sphere version 1.0 can’t be used after the 30.06.2025,” the advisory warns, highlighting a mandatory upgrade deadline to protect users from ongoing exposure.

Related Posts:

• Microsoft releases its own custom Linux kernel and distribution for the Internet of Things
• WAGO Device Manager Vulnerabilities Expose Critical Industrial Infrastructure to Remote Exploits
• CVE-2023-4149: WAGO Industrial Managed Switch Vulnerability Exposed to RCE
• CasaOS Vulnerability Could Allow Attackers to Take Control
• A Critical Vulnerability in json-web-token for Node.js