Back to Intelligence

CVE-2026-3587: WAGO Industrial Managed Switch CLI Escape — Detection and Hardening Guide

SA
Security Arsenal Team
April 21, 2026
5 min read

Introduction

Security Arsenal is tracking a critical vulnerability (CVE-2026-3587) affecting WAGO GmbH & Co. KG Industrial Managed Switches. Per CISA Advisory ICSA-26-085-01, an unauthenticated remote attacker can exploit a hidden function within the device's Command Line Interface (CLI) to escape the restricted environment. This results in a complete compromise of the device, granting attackers full control over the industrial switch and potential pivot points into the OT network.

Given the prevalence of WAGO hardware in manufacturing and critical infrastructure, this vulnerability represents a high-risk pathway for initial access and lateral movement. Defenders must identify exposed assets and apply updates immediately.

Technical Analysis

  • CVE Identifier: CVE-2026-3587
  • Affected Component: CLI Prompt / Restricted Interface
  • Attack Vector: Network (Adjacent)
  • Impact: Full Device Compromise (Escape restricted interface)
  • Severity: Critical (Unauthenticated exploitation leading to full control)

Affected Products and Versions

The following WAGO hardware models running firmware prior to the listed versions are vulnerable:

  • 852-1812: Firmware prior to V1.2.1.S0
  • 852-1813: Firmware prior to V1.2.1.S0
  • 852-1813/000-001: Firmware prior to V1.2.3.S0
  • 852-1816: Firmware prior to V1.2.1.S0
  • 852-303: Firmware prior to V1.2.8.S0
  • 852-1305: Firmware prior to V1.2.0.S0

Vulnerability Mechanics

The vulnerability resides in a hidden function within the CLI prompt. The interface is designed to provide a restricted set of commands to users. However, by issuing specific input to this hidden function, an attacker can break out of the restricted CLI shell. This "CLI escape" bypasses standard access controls, allowing the attacker to execute arbitrary system-level commands. No authentication is required to trigger this escape, making it trivial for an actor with network access to the management interface to gain root or system-level privileges.

Detection & Response

SIGMA Rules

The following rules focus on detecting suspicious CLI access patterns and indicators of shell escape attempts on WAGO devices. These assume logs are forwarded via Syslog to a SIEM.

YAML
---
title: Potential WAGO CLI Escape Attempt
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects potential CLI escape attempts on WAGO devices by identifying shell escape sequences or restricted commands in Syslog.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-085-01
author: Security Arsenal
date: 2026/02/25
tags:
  - attack.initial_access
  - attack.command_and_control
  - ics
logsource:
  product: wago
  service: syslog
detection:
  selection_device:
    SyslogMessage|contains:
      - '852-'
  selection_escape:
    SyslogMessage|contains:
      - '!sh'
      - '!bash'
      - 'shell'
      - 'system('
  condition: selection_device and selection_escape
falsepositives:
  - Legitimate administrator troubleshooting using shell escape sequences
level: high
---
title: Unauthenticated Access to WAGO Management Interface
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects successful web or CLI logins to WAGO devices from non-management subnets or unusual user agents.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-085-01
author: Security Arsenal
date: 2026/02/25
tags:
  - attack.initial_access
  - ics
logsource:
  category: firewall
  product: fortinet
detection:
  selection:
    DestinationPort:
      - 80
      - 443
      - 22
    DestinationHostname|contains:
      - 'wago'
    Action: 'accept'
  filter_mgmt:
    SourceIP|cidr:
      - '10.0.0.0/8' # Adjust to match your management subnets
      - '192.168.1.0/24'
  condition: selection and not filter_mgmt
falsepositives:
  - New engineering workstation connecting to switch
level: medium

KQL (Microsoft Sentinel)

This query hunts for WAGO devices logging messages indicative of administrative access or shell commands, which are post-exploitation artifacts of CLI escape.

KQL — Microsoft Sentinel / Defender
Syslog
| where SyslogMessage has "852-"
| where SyslogMessage has_any ("COMMAND", "EXEC", "SHELL", "/bin/sh", "/bin/bash")
| project TimeGenerated, ComputerIP, HostName, SyslogMessage, ProcessName
| summarize count() by ComputerIP, HostName, bin(TimeGenerated, 5m)
| where count_ > 5

Velociraptor VQL

Use this VQL artifact to hunt for processes on engineering workstations or jump servers that might be interacting with WAGO infrastructure using common industrial tools (like NMAP or specific scripting) that could be scanning for this vulnerability.

VQL — Velociraptor
-- Hunt for network scanning tools targeting WAGO infrastructure
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'nmap' 
   OR Name =~ 'masscan'
   OR Name =~ 'python' AND CommandLine =~ '852'
   OR Name =~ 'powershell' AND CommandLine =~ 'WAGO'

Remediation Script

This Bash script helps administrators identify vulnerable WAGO devices on the network by checking their firmware version via the web API (if accessible) or banner grab. Note: Verify your specific API endpoints for your WAGO models.

Bash / Shell
#!/bin/bash
# Remediation/Check Script for CVE-2026-3587
# Scans a subnet for WAGO devices and checks firmware versions

SUBNET="192.168.1.0/24" # Update to match your OT subnet
VULNERABLE_MODELS=("852-1812" "852-1813" "852-1816" "852-303" "852-1305")

echo "Scanning $SUBNET for WAGO devices..."

# Assuming nmap is available for discovery
for ip in $(nmap -sn $SUBNET | grep -oP '\d+\.\d+\.\d+\.\d+'); do
    # Attempt to grab HTTP banner or Model info
    response=$(curl -s -m 2 http://$ip | grep -oP '852-\d+')
    if [ ! -z "$response" ]; then
        echo "Found WAGO Device: $ip - Model: $response"
        # Logic to check version would go here, usually via specific API calls
        # For now, flagging presence of affected models
        for model in "${VULNERABLE_MODELS[@]}"; do
            if [[ "$response" == *"$model"* ]]; then
                echo "[ALERT] Device $ip matches vulnerable model $model. Check firmware manually."
            fi
        done
    fi
done

Remediation

  1. Patch Immediately: Apply the vendor-provided firmware updates to eliminate the vulnerability.

    • 852-1812: Update to firmware V1.2.1.S0 or later.
    • 852-1813: Update to firmware V1.2.1.S0 or later.
    • 852-1813/000-001: Update to firmware V1.2.3.S0 or later.
    • 852-1816: Update to firmware V1.2.1.S0 or later.
    • 852-303: Update to firmware V1.2.8.S0 or later.
    • 852-1305: Update to firmware V1.2.0.S0 or later.

  2. Network Segmentation: Ensure WAGO management interfaces (Ports 22, 80, 443) are not accessible from the internet or untrusted network zones. Restrict access to specific management VLANs.

  3. CISA Guidance: Refer to CISA Advisory ICSA-26-085-01 for specific technical mitigation steps if patching cannot be performed immediately. Review the WAGO Security Advisory for download links.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

alert-triagealert-fatiguesoc-automationfalse-positive-reductionalertmonitorwagocve-2026-3587ics-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action