Introduction
CISA has released ICS Advisory ICSA-26-085-01 regarding a critical security vulnerability (CVE-2026-3587) affecting multiple WAGO GmbH & Co. KG Industrial Managed Switches. This vulnerability allows an unauthenticated, remote attacker to exploit a hidden function within the Command Line Interface (CLI) to escape the restricted environment.
For defenders, this is a "call to arms" scenario. The vulnerability effectively bypasses the intended administrative boundaries of the device, leading to a full system compromise. In an Operational Technology (OT) environment, where switches form the backbone of industrial control systems (ICS), a compromise of this nature can serve as a pivot point to disrupt safety-critical processes or deploy malware like ransomware across the industrial network. Immediate patching and network segmentation are non-negotiable.
Technical Analysis
CVE Identifier
CVE-2026-3587 (CVSS v3.x Score: 9.8 Critical - Estimated based on impact description)
Affected Platforms
The vulnerability specifically impacts the following WAGO hardware models running firmware versions prior to the listed remediation versions:
| Hardware Model | Vulnerable Firmware Versions | Patched Version |
|---|---|---|
| WAGO 852-1812 | Prior to V1.2.1.S0 | V1.2.1.S0 |
| WAGO 852-1813 | Prior to V1.2.1.S0 | V1.2.1.S0 |
| WAGO 852-1813/000-001 | Prior to V1.2.3.S0 | V1.2.3.S0 |
| WAGO 852-1816 | Prior to V1.2.1.S0 | V1.2.1.S0 |
| WAGO 852-303 | Prior to V1.2.8.S0 | V1.2.8.S0 |
| WAGO 852-1305 | Prior to V1.2.0.S0 | V1.2.0.S0 |
Vulnerability Mechanics
The vulnerability exists in the restricted CLI interface of the managed switch. Under normal operations, the CLI provides a limited set of commands for troubleshooting or configuration, preventing users from accessing the underlying Linux-based operating system.
- Attack Vector: Remote, unauthenticated network access.
- Weakness: The device contains a hidden, undocumented function within the CLI prompt logic.
- Exploitation: An attacker sends a specific payload to the CLI interface (accessible via Telnet/SSH or serial console depending on configuration). This payload triggers the "hidden function," breaking out of the restricted CLI jail.
- Impact: The attacker gains full shell access (root privileges) to the switch's operating system. This allows them to modify firmware, intercept traffic, alter configurations, or move laterally to connected PLCs and HMIs.
Exploitation Status
While the advisory confirms the existence of the vulnerability, defenders should assume that active exploitation scanning is imminent or already occurring given the publication of a CISA advisory. The "hidden function" nature suggests this may be discovered through fuzzing or reverse engineering.
Detection & Response
Detecting this specific exploit requires monitoring for administrative access to the CLI interface and analyzing logs for indicators of jailbreak behavior or unusual command execution. Since WAGO devices are embedded Linux systems, standard endpoint detection is rarely available. Detection relies heavily on Syslog forwarding and network monitoring.
SIGMA Rules
Use these rules in your SIEM to detect potential access to the WAGO CLI or indicators of the escape mechanism.
---
title: WAGO Switch CLI Login Access
id: 3a1b9c2d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects successful login attempts to WAGO managed switches via SSH or Telnet. While administrative access is legitimate, a spike from unexpected internal IPs may indicate scanning for CVE-2026-3587.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-085-01
author: Security Arsenal
date: 2026/02/20
tags:
- attack.initial_access
- attack.t1078
logsource:
product: wago
service: syslog
detection:
selection:
program|contains:
- 'sshd'
- 'telnetd'
msg|contains:
- 'Accepted'
- 'login success'
condition: selection
falsepositives:
- Legitimate administrator maintenance
level: medium
---
title: WAGO Suspicious CLI Escape Sequence
id: 8c9d0e1f-2a3b-4c5d-6e7f-8a9b0c1d2e3f
status: experimental
description: Detects potential CLI escape characters or command injection often associated with jailbreaking restricted interfaces on embedded devices.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-085-01
author: Security Arsenal
date: 2026/02/20
tags:
- attack.execution
- attack.t1059.004
logsource:
product: wago
service: syslog
detection:
selection_keywords:
msg|contains:
- 'sh'
- 'bin/bash'
- 'exec'
selection_separators:
msg|contains:
- '|'
- ';'
- '&&'
- '`'
condition: all of selection_*
falsepositives:
- Administrator troubleshooting commands
level: high
KQL (Microsoft Sentinel / Defender)
Hunt for successful management logins and anomalies in Syslog or CommonSecurityLog data.
// Hunt for WAGO Switch Management Access
let WAGO_IPs = dynamic(["192.168.10.0/24", "10.0.0.0/8"]); // Update with your OT subnets
Syslog
| where Computer in (WAGO_IPs) or ProcessName contains "sshd"
| where SyslogMessage has "Accepted"
or SyslogMessage has "login"
| extend DeviceModel = extract(@"852-\d+", 0, SyslogMessage)
| project TimeGenerated, Computer, ProcessName, SyslogMessage, DeviceModel, SourceIP
| order by TimeGenerated desc
// Hunt for anomalous process execution on Linux-based endpoints (if agents deployed)
DeviceProcessEvents
| where InitiatingProcessFileName in ("sh", "bash", "dash", "busybox")
| where FileName in ("nc", "telnet", "wget", "curl")
| where DeviceType == "IoT" // Assuming IoT classification for switches
| project Timestamp, DeviceName, AccountName, FileName, CommandLine, InitiatingProcessFileName
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for network connections established to common WAGO management ports (22, 23, 80, 443) from endpoints within the environment, potentially indicating an attacker pivoting to scan for vulnerable switches.
-- Hunt for connections to WAGO Switch Management Ports
SELECT Connection.RemoteAddress, Connection.RemotePort, Connection.Pid, Process.Name, Process.Cmdline
FROM watch_netstat()
WHERE Connection.RemotePort IN (22, 23, 80, 443)
AND Connection.State = 'ESTABLISHED'
-- Filter out known management IPs to reduce noise
AND Connection.RemoteAddress NOT IN ('127.0.0.1', '::1')
Remediation Script
Since the affected devices are managed switches, we cannot run a script on the device itself via PowerShell. However, we can use a Bash script on a Linux-based administrative server to scan the subnet for WAGO devices and retrieve their firmware versions to identify vulnerable units. Note: This script assumes HTTP/HTTPS access is enabled and the standard WAGO web info page is accessible.
#!/bin/bash
# WAGO Firmware Vulnerability Scanner for CVE-2026-3587
# Usage: ./scan_wago.sh <subnet> (e.g., 192.168.1)
SUBNET="$1"
if [ -z "$SUBNET" ]; then
echo "Usage: $0 <subnet>"
exit 1
fi
echo "Scanning subnet $SUBNET.0/24 for WAGO devices and checking firmware versions..."
# Define vulnerable hardware and minimum patched versions
# Format: "HW_MODEL:MIN_PATCHED_VERSION"
VULN_MAP=(
"852-1812:V1.2.1.S0"
"852-1813:V1.2.1.S0"
"852-1816:V1.2.1.S0"
"852-303:V1.2.8.S0"
"852-1305:V1.2.0.S0"
"852-1813/000-001:V1.2.3.S0"
)
check_version() {
local hw_model="$1"
local current_ver="$2"
local min_ver="$3"
# Basic string comparison (simplified for this script; real version parsing is complex)
if [[ "$current_ver" < "$min_ver" ]]; then
echo "[!] VULNERABLE: Firmware $current_ver is older than patched $min_ver"
else
echo "[+] Patched or Safe: Firmware $current_ver"
fi
}
# Scan loop
for i in {1..254}; do
IP="$SUBNET.$i"
# Quick check if port 80 is open (simple probe)
timeout 1 bash -c "cat < /dev/null > /dev/tcp/$IP/80" 2>/dev/null
if [ $? -eq 0 ]; then
# Try to fetch the device info page (common path for WAGO)
# Note: WAGO devices often expose info at / or /cgi-bin/
RESPONSE=$(curl -s --max-time 2 "http://$IP" | grep -oP '(?<=<title>).*?(?=</title>)' || echo "Unknown")
# If response contains WAGO, try to identify model/firmware (Generic logic)
if echo "$RESPONSE" | grep -qi "wago"; then
echo "\nDevice Found: $IP ($RESPONSE)"
# Actual version extraction would require specific API calls or parsing of the HTML source
# This is a placeholder for where you would implement version parsing logic
# e.g., curl -s http://$IP/PLC/WEBPLC/EDITPLC.htm | grep Firmware
echo "Manual verification required for firmware version."
echo "Refer to advisory ICSA-26-085-01 for specific hardware checks."
fi
fi
done
echo "\nScan complete."
Remediation
To address CVE-2026-3587, organizations must apply the specific firmware updates provided by WAGO. There are currently no known workarounds that fully mitigate this vulnerability without patching, though network segmentation can reduce exposure.
Patching Instructions
Update affected devices to the following firmware versions or later:
- WAGO 852-1812: Update to V1.2.1.S0
- WAGO 852-1813: Update to V1.2.1.S0
- WAGO 852-1813/000-001: Update to V1.2.3.S0
- WAGO 852-1816: Update to V1.2.1.S0
- WAGO 852-303: Update to V1.2.8.S0
- WAGO 852-1305: Update to V1.2.0.S0
Firmware updates and release notes can be obtained via the official WAGO support portal.
Defensive Mitigations
- Minimize Attack Surface: Ensure management interfaces (SSH, Telnet, HTTP) are not exposed to the internet or untrusted network zones. Use strict firewall rules (ACLs) to limit management access to specific engineering workstations.
- Disable Unused Services: If Telnet is not required for operations, disable it in favor of SSH only.
- Network Segmentation: Isolate ICS devices in separate VLANs. Ensure the WAGO switches are placed behind a firewall or DMZ that prevents direct access from the corporate IT network without jumping through a secure bastion host.
Vendor Advisory
CISA ICS Advisory ICSA-26-085-01
Related Resources
Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.