Hidden CLI Function Escape in WAGO Managed Switches

Successful exploitation provides complete compromise of the affected switch. An attacker can obtain root-level access to the underlying Linux OS, which implies full control over the device, including the ability to alter configuration, disrupt switching or management functions, access sensitive data present on the device, and use the device as a foothold for further activity in the operational or enterprise network. The provided CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) indicates high impact to confidentiality, integrity, and availability.

Until firmware updates can be applied, disable SSH and Telnet management access to remove or reduce the remote attack surface. The vendor specifically advised disabling SSH and Telnet on Lean Managed Switch models to eliminate the attack vector, and disabling SSH and Telnet on Industrial Managed Switch models to reduce the attack vector while keeping CLI access local via RS232 where supported. Restrict management-plane network exposure as much as operationally possible.

Apply the vendor-fixed firmware versions for affected models. The provided context states the following fixed releases: V1.2.1.S1 for Lean Managed Switch models 852-1812, 852-1813, 852-1816, 852-1812/010-000, 852-1813/010-000, 852-1816/010-000, and 852-1813/010-001; V1.2.3.S1 for Lean Managed Switch 852-1813/000-001; V1.2.8.S1 for Industrial Managed Switch 852-303; V1.2.0.S1 for Industrial Managed Switch 852-1305, 852-1305/000-001, and 852-1505/000-001; V1.1.9.S1 for Industrial Managed Switch 852-1505; V1.0.6.S1 for Industrial Managed Switch 852-602 and 852-603; and V1.2.5.S1 for Industrial Managed Switch 852-1605. Firmware versions prior to these releases are stated to be affected.