Critical Hidden Functionality Vulnerability in WAGO Industrial Managed Switches

CISA and WAGO GmbH & Co. KG report a critical vulnerability affecting its line of Industrial Managed Switches allowing unauthenticated remote attackers to bypass security restrictions and gain full control over the networking hardware.

The flaw is tracked as CVE-2026-3587 (CVSS score 10.0), a hidden functionality flaw in the Command Line Interface (CLI) prompt that allows an attacker to escape the restricted management environment. By exploiting this undocumented function, an unauthenticated user can break out of the limited CLI shell to access the underlying operating system. This mechanism enables the attacker to run arbitrary commands with administrative privileges.

An attacker with full device access can intercept or manipulate network traffic, disrupt communications between industrial controllers, and potentially use the switch as a persistent foothold for lateral movement into the broader corporate network. 

Affected devices include the Lean Managed Switch series (852-1812, 852-1813, 852-1816) and the Industrial Managed Switch series (852-303, 852-1305, 852-1505, 852-602, 852-603, and 852-1605). Vulnerable firmware versions include those prior to specific "S1" patch releases, such as V1.2.1.S0 and V1.2.8.S0. WAGO has provided a full list of affected models and their corresponding fixed versions in their official security advisory.

Administrators must update affected switches to the latest firmware versions, typically identified by an "S1" suffix (e.g., V1.2.1.S1). If immediate patching is not feasible, WAGO recommends deactivating SSH and Telnet services to eliminate the remote attack vector. 

For Industrial Managed Switch models, disabling these protocols ensures the CLI is only accessible through a physical RS232 connection, which prevents remote attackers from reaching the vulnerable interface.