- CVE: CVE-2026-4769
- CVSS: 9.8 (Critical · CVSSv3)
- Product: WAGO 0765-110x/0100-0000
- Affected: 1.0.0.0
- Impact: Unauthenticated Access to Internal Diagnostic Interface
- Status: No confirmed exploitation yet
- Patched in: 1.2.1.100, 1.2.7.100, 1.2.7.103, 1.2.1.102 (+1 more)
- Action: Update to 1.2.1.100, 1.2.7.100, 1.2.7.103, 1.2.1.102 (+1 more) now
TL;DR
A critical flaw in WAGO System I/O field devices now has a fix. Tracked as CVE-2026-4769, the bug scores 9.8 on CVSS. An unauthenticated attacker can reach full system compromise during early boot. So far, no public exploitation has been confirmed.
Why it matters
WAGO System I/O devices run in industrial and building automation. They sit close to physical processes. A full takeover there can disrupt operations or safety. Because the attack needs no login, the barrier stays low. Many sites also expose these controllers on flat networks, which raises the risk further.
How the attack works
The device turns on a hidden diagnostic function during startup. This feature is not documented. For a short window in early boot, it opens without authentication. During that window, a remote attacker can reach internal system processes. As a result, they gain control before security controls load. We are not sharing exploit code or steps.
Exploitation status
CERT@VDE reports no known attacks in the wild. No public proof-of-concept exists at publication. Still, the 9.8 score marks this as urgent. Attackers watch such advisories closely. Patch before that window opens.
Affected versions
The issue affects several WAGO System I/O field models in the 0765 series. Each model has its own vulnerable firmware range below a fixed build. For example, some models patch at 1.2.7.103, while others patch at 1.2.1.100. According to CERT@VDE and NVD, the flaw carries a CVSS rating of 9.8.
Patch and mitigation
WAGO urges firmware updates without delay. Move each affected model to its listed fixed build. Until then, restrict network access to the devices. Segment operational networks and block untrusted traffic. For the model-by-model list, read the CERT@VDE advisory VDE-2026-031.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.