How to Secure OT Networks Against the WAGO Switch CLI Escape Vulnerability

Operational Technology (OT) and Industrial Control Systems (ICS) are the backbone of critical infrastructure, and securing the network edge is paramount. A recent vulnerability affecting WAGO GmbH & Co. KG Industrial Managed Switches highlights a critical risk for defenders: an unauthenticated remote attacker can bypass security restrictions to fully compromise a device.

This post provides a detailed breakdown of CVE-2026-3587, offering security teams the technical analysis and defensive tools necessary to identify and remediate this threat within their environments.

Technical Analysis

CVE ID: CVE-2026-3587
Advisory: ICSA-26-085-01
Severity: Critical (CVSS score not explicitly provided in source, but allows full device compromise unauthenticated)

The Vulnerability

The identified vulnerability exists due to a hidden function within the Command Line Interface (CLI) prompt of the affected WAGO switches. This security flaw allows an unauthenticated remote attacker to escape the restricted interface. By exploiting this escape mechanism, an attacker can bypass intended security boundaries, leading to the full compromise of the device. Once compromised, the attacker could manipulate switch configurations, intercept traffic, or use the device as a pivot point to move laterally into the OT network.

Affected Products

The vulnerability specifically impacts several hardware models running firmware versions prior to the security updates listed below. Defenders should immediately check their inventory against these specific model and firmware pairings:

• WAGO Hardware 852-1812: Firmware versions prior to V1.2.1.S0
• WAGO Hardware 852-1813: Firmware versions prior to V1.2.1.S0
• WAGO Hardware 852-1813/000-001: Firmware versions prior to V1.2.3.S0
• WAGO Hardware 852-1816: Firmware versions prior to V1.2.1.S0
• WAGO Hardware 852-303: Firmware versions prior to V1.2.8.S0
• WAGO Hardware 852-1305: Firmware versions prior to V1.2.0.S0

Defensive Monitoring

In ICS environments, visibility is often the first casualty of a legacy architecture. To verify if your network is hosting vulnerable WAGO switches, you can utilize asset discovery scripts.

1. Firmware Verification via SNMP (Bash)

If your network management station or a Linux-based jump host has SNMP access to the management VLAN, the following script can help automate the discovery of WAGO devices and check their firmware versions via the sysDescr OID (1.3.6.1.2.1.1.1.0), which typically includes firmware information.

#!/bin/bash

# Community string (default is often 'public', change as per your environment)
COMMUNITY="public"
# SNMP OID for System Description
OID="1.3.6.1.2.1.1.1.0"

# List of IP ranges or specific IPs to scan
IPS=("192.168.1.1" "192.168.1.2" "10.0.0.100")

echo "Checking WAGO Switches for Firmware Versions..."

for IP in "${IPS[@]}"; do
    echo "Querying $IP..."
    # Using snmpwalk to get system description
    RESULT=$(snmpwalk -v2c -c $COMMUNITY $IP $OID 2>/dev/null)
    
    if [ -n "$RESULT" ]; then
        # Check if the result looks like a WAGO device
        if echo "$RESULT" | grep -iq "WAGO"; then
            echo "[+] WAGO Device Found at $IP"
            echo "    Firmware Info: $RESULT"
            # You can add logic here to parse the version and compare against affected versions
        fi
    fi
done

2. Network Traffic Anomaly Detection (KQL)

If your network logs (Firewall or IDS) are ingested into Microsoft Sentinel, you can monitor for suspicious CLI access attempts or unexpected SSH traffic to OT segments. While this does not detect the vulnerability directly, it detects potential exploit attempts.

// Query for SSH or Telnet connections to known OT subnets
// This helps identify potential attackers attempting to access the CLI
let OT_Subnets = dynamic(["10.0.0.0/8", "192.168.1.0/24"]); // Customize with your OT ranges
NetworkEvents
| where Subnet contains "OT" // or filter by specific IP prefixes in OT_Subnets
| where DestinationPort in (22, 23) // SSH and Telnet
| where ActionType == "ConnectionAllowed" or ActionType == "InboundConnectionAllowed"
| summarize Count = count() by SourceIP, DestinationIP, DestinationPort, bin(TimeGenerated, 1h)
| where Count > 10 // Threshold for unusual activity
| order by Count desc

Remediation

Immediate action is required to secure affected devices against CVE-2026-3587. Security teams should follow this remediation roadmap:

1. Update Firmware: Apply the necessary firmware updates provided by WAGO immediately. Ensure you update to at least the following versions:

   • 852-1812: Update to V1.2.1.S0 or later.
   • 852-1813: Update to V1.2.1.S0 or later.
   • 852-1813/000-001: Update to V1.2.3.S0 or later.
   • 852-1816: Update to V1.2.1.S0 or later.
   • 852-303: Update to V1.2.8.S0 or later.
   • 852-1305: Update to V1.2.0.S0 or later.

2. Network Segmentation: If immediate patching is not possible due to operational uptime requirements, strictly isolate the management interfaces of these switches from untrusted networks. Ensure that only authorized engineering workstations can communicate with the switch management ports.

3. Disable Unused Services: Verify that Telnet (if enabled) is disabled in favor of SSH, and restrict CLI access to only necessary personnel.

4. Backup and Review: Before applying firmware updates in an ICS environment, ensure you have a validated backup of the current configuration and test the update in a non-production environment if possible.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub