Back to Intelligence

Critical WAGO Switch CLI Escape: Patching Guide for CVE-2026-3587

SA
Security Arsenal Team
April 2, 2026
6 min read

Industrial control systems (ICS) are the backbone of critical infrastructure, and the security of the networking equipment managing them is paramount. A recent vulnerability affecting WAGO GmbH & Co. KG Industrial Managed Switches highlights the ongoing risks in Operational Technology (OT) environments.

Designated as CVE-2026-3587, this flaw allows an unauthenticated remote attacker to exploit a hidden function within the Command Line Interface (CLI). By triggering this function, an attacker can escape the restricted interface and gain full administrative control over the device. For defenders, this represents a critical pathway for initial access and lateral movement within an industrial network.

Technical Analysis

The vulnerability stems from a security issue in the CLI prompt of affected WAGO switch firmware. The restricted interface, typically designed to limit user capabilities, contains a hidden function that can be manipulated to break out of the constrained environment. This "CLI escape" effectively bypasses the intended security controls, granting the attacker full privileges on the underlying operating system of the switch.

Once the attacker has achieved full compromise, they can alter device configurations, intercept network traffic, or use the switch as a pivot point to attack deeper into the ICS environment, potentially disrupting physical processes.

Affected Products

The following WAGO hardware models running firmware versions prior to the specified updates are vulnerable:

  • WAGO 852-1812: Firmware prior to V1.2.1.S0
  • WAGO 852-1813: Firmware prior to V1.2.1.S0
  • WAGO 852-1813/000-001: Firmware prior to V1.2.3.S0
  • WAGO 852-1816: Firmware prior to V1.2.1.S0
  • WAGO 852-303: Firmware prior to V1.2.8.S0
  • WAGO 852-1305: Firmware prior to V1.2.0.S0

(CVE ID: CVE-2026-3587)

Defensive Monitoring

Detecting this vulnerability requires monitoring for unusual administrative interactions with these devices. Since the attack involves exploiting the CLI, defenders should look for unexpected usage of SSH or Telnet, as well as suspicious command-line arguments on management hosts.

SIGMA Rules

The following SIGMA rules can be deployed in your SIEM to detect suspicious behavior related to the exploitation of this vulnerability or the management of these devices.

YAML
---
title: Suspicious Outbound SSH Connection to OT Network
id: 8c4f2a1b-9d3e-4f5a-8b2c-1d3e4f5a6b7c
status: experimental
description: Detects outbound SSH or Telnet connections from non-standard administrative workstations to internal network segments, potentially indicating access to OT devices like WAGO switches.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-085-01
author: Security Arsenal
date: 2026/03/01
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 22
      - 23
    Initiated: 'true'
  filter:
    Image|endswith:
      - '\putty.exe'
      - '\ssh.exe'
      - '\plink.exe'
      - '\telnet.exe'
    User|contains:
      - 'admin'
      - 'service'
      - 'svc_'
  condition: selection and not filter
falsepositives:
  - Legitimate administrative access by engineers using non-standard tools
level: medium
---
title: Industrial Switch Management Tool Execution
id: a2b3c4d5-e6f7-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects execution of common industrial management tools (WAGO specific or generic) which may be used to exploit CLI interfaces.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/03/01
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\WAGO-Software.exe'
      - '\CodeSys.exe'
      - '\ethernet-config.exe'
    CommandLine|contains:
      - 'cli'
      - 'script'
      - 'enable'
  condition: selection
falsepositives:
  - Legitimate configuration changes by OT personnel
level: low

KQL Queries

For Microsoft Sentinel or Defender for Identity, use the following KQL queries to identify potential reconnaissance or exploitation attempts.

KQL — Microsoft Sentinel / Defender
// Detect successful logons to WAGO devices or similar OT assets
// Note: Requires authentication logs or firewall logs forwarded to Sentinel
DeviceNetworkEvents
| where ActionType in ("ConnectionSuccess", "InboundConnectionAccepted")
| where RemotePort in (22, 23, 102, 502) 
| where InitiatingProcessFileName !in ("putty.exe", "ssh.exe", "telnet.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, RemoteUrl
| summarize count() by DeviceName, RemoteIP, InitiatingProcessAccountName


// Hunt for processes interacting with potential industrial IP ranges
// Update the IP range CIDR to match your OT environment
let OTRange = "10.20.30.0/24"; 
DeviceProcessEvents 
| where InitiatingProcessFileName in~ ("putty.exe", "plink.exe", "ssh.exe", "telnet.exe", "powershell.exe")
| where IPV4 matches regex @"\b10\.(" + OTRange + ")" // Simplified regex for demo, normally precise CIDR match logic is used
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

Velociraptor VQL

Use these Velociraptor queries to hunt for indicators of compromise on endpoints that may be used as jump hosts.

VQL — Velociraptor
-- Hunt for active SSH/Telnet connections to non-standard ports
SELECT Pid, ProcessName, CommandLine, RemoteAddress, RemotePort, State
FROM process_listing(pid=plist())
WHERE Name =~ 'ssh' OR Name =~ 'telnet' OR Name =~ 'putty'

-- Search for SSH history or known config files that might contain WAGO IPs
SELECT FullPath, Mtime, Size, Data
FROM glob(globs='C:\Users\*\ssh\config', globs='C:\Users\*\.ssh\known_hosts')
WHERE Data =~ '10.' OR Data =~ '192.168.'

PowerShell Remediation Script

While patching is the primary remediation, this script can help administrators inventory affected devices on the network.

PowerShell
<#
.SYNOPSIS
    Scans a subnet for open SSH/Telnet ports to identify WAGO devices.
.DESCRIPTION
    This script attempts to connect to common WAGO management ports to identify hosts that require patching.
    Note: Update the $Subnet variable to match your industrial network range.
#>

$Subnet = "192.168.1"
$Ports = @(22, 23, 80, 443)
$FoundDevices = @()

1..254 | ForEach-Object {
    $IP = "$Subnet.$_"
    Write-Host "Scanning $IP..." -NoNewline
    
    foreach ($Port in $Ports) {
        try {
            $TcpClient = New-Object System.Net.Sockets.TcpClient
            $Connect = $TcpClient.BeginConnect($IP, $Port, $null, $null)
            $Wait = $Connect.AsyncWaitHandle.WaitOne(100, $false)
            
            if ($Wait) {
                Write-Host " [Open Port $Port]" -ForegroundColor Cyan
                $FoundDevices += [PSCustomObject]@{
                    IPAddress = $IP
                    Port     = $Port
                    Status   = "Open"
                }
                $TcpClient.Close()
            } else {
                $TcpClient.Close()
            }
        } catch {
            # Ignore connection errors
        }
    }
}

if ($FoundDevices) {
    Write-Host "\nPotential devices found requiring verification:" -ForegroundColor Yellow
    $FoundDevices | Format-Table -AutoSize
} else {
    Write-Host "No devices found on specified range." -ForegroundColor Green
}

Remediation

To mitigate the risk posed by CVE-2026-3587, organizations should take the following immediate steps:

  1. Patch Firmware: WAGO has released firmware updates to address this vulnerability. Update all affected devices to the firmware versions listed in the Technical Analysis section immediately.
  2. Restrict CLI Access: Ensure that CLI access (SSH/Telnet) is strictly controlled. Use firewall rules to restrict management access to specific, secured administrative subnets (Jump Servers) rather than allowing access from the broader corporate network.
  3. Disable Unused Services: If Telnet is not required for operations, disable it in favor of SSH. If neither is required for daily operations, consider disabling the CLI service entirely if the device configuration allows, relying solely on the web interface (which should also be secured).
  4. Network Segmentation: Verify that affected switches are located behind proper firewalls and that ICS protocols are not routable to the general enterprise IT network.
  5. Monitor for Anomalies: Deploy the detection rules provided above to alert on any unexpected attempts to interact with the CLI interfaces of these devices.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

alert-fatiguetriagealertmonitorsocics-otwagocveindustrial-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action