Factory Flaw: Critical WAGO Switch Vulnerabilities (CVSS 9.8) Allow Remote Takeover

A cluster of critical vulnerabilities has been discovered in WAGO’s 852 series Industrial Managed Switches, leaving operational technology (OT) networks exposed to remote takeover. In a new security advisory, CERT@VDE warns that these devices are riddled with security holes, ranging from hardcoded encryption keys to classic buffer overflows, three of which carry a critical CVSS score of 9.8.

The vulnerabilities affect the 8052-1322 and 0852-1328 models (Firmware 2.64 and prior), which are commonly used to manage traffic in industrial environments. The flaws are found in the device’s web-based management interface, which relies on a modified version of the lighttpd server and custom CGI binaries.

Perhaps the most glaring oversight is CVE-2026-22906, a vulnerability that trivializes credential theft. The device stores user passwords using AES-ECB encryption, but with a fatal flaw: the decryption key is hardcoded into the device itself.

The advisory explains the risk: “User credentials are stored using AES-ECB encryption with a hardcoded key. An unauthenticated remote attacker obtaining the configuration file can decrypt and recover plaintext usernames and passwords”.

This means that if an attacker can get their hands on a configuration backup—or exploit one of the other flaws to read files—they can instantly recover the administrator’s password and take full control.

Two other critical vulnerabilities allow attackers to crash the switch or execute malicious code simply by sending a “cookie” that is too large for the system to swallow.

• CVE-2026-22904: This flaw involves the parsing of the TRACKID cookie. “Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow,” the report states.
• CVE-2026-22903: Similarly, the SESSIONID cookie is vulnerable. “An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie,” which crashes the server and potentially enables remote code execution due to a lack of stack protections.

Finally, attackers don’t even need valid credentials to access protected parts of the system. CVE-2026-22905 (CVSS 7.5) allows for authentication bypass via a simple path traversal trick.

“An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi),” the advisory notes. This grants unauthorized access to sensitive endpoints, potentially allowing attackers to download the very configuration files needed to exploit the hardcoded key vulnerability mentioned above.

“Successful exploitation may allow remote attackers to crash the web service, execute arbitrary code, bypass authentication controls, and obtain plaintext administrative credentials,” warning that the backbone of factory connectivity could be turned against its operators.

Related Posts:

• WAGO Device Manager Vulnerabilities Expose Critical Industrial Infrastructure to Remote Exploits
• CVE-2025-41715 (CVSS 9.8): Unauthenticated Flaw Exposes WAGO Industrial Databases
• CVE-2025-41672 (CVSS 10): Critical JWT Certificate Flaw in WAGO Device Sphere Allows Full Remote Takeover
• CVE-2023-4149: WAGO Industrial Managed Switch Vulnerability Exposed to RCE
• Hardcoded Cloud Credentials Found in Popular Mobile Apps: A Major Security Flaw