VDE-2026-031
Vulnerability from csaf_wagogmbhcokg - Published: 2026-07-13 07:00 - Updated: 2026-07-13 07:00Summary
WAGO: Early-Boot Diagnostic Exposure in WAGO System I/O Field Devices
Severity
Critical
Notes
Summary: Certain devices in the WAGO System I/O Field series enable an internal diagnostic capability during the initial stages of system startup. This behavior, which is not part of the publicly documented feature set, briefly allows access to system functions before the main operating environment becomes fully active. Under specific conditions, this could permit interactions with system components that are normally protected during regular operation.
Impact: If network access is available during the early startup phase, an external party may be able to influence device behavior in ways not intended for routine operation. This could potentially affect system integrity or configuration prior to the full initialization of security mechanisms.
Remediation: Update to the listed fixed versions of the affected firmwares:
| Fixed Version | Product Name |
| ------------- | ------------------------------------ |
| 1.2.1.100 | I/O System Field 0765-110x/0100-0000 |
| 1.2.7.100 | I/O System Field 0765-120x/0100-0000 |
| 1.2.7.103 | I/O System Field 0765-150x/0100-0000 |
| 1.2.1.102 | I/O System Field 0765-2101/0100-0000 |
| 1.2.5.101 | I/O System Field 0765-2102/0100-0000 |
| 1.2.1.100 | I/O System Field 0765-410x/0100-0000 |
| 1.2.7.100 | I/O System Field 0765-420x/0100-0000 |
| 1.2.7.103 | I/O System Field 0765-450x/0100-0000 |
Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an unauthenticated remote attacker can gain access to the internal system processes, resulting in full system compromise.
9.8 (Critical)
Vendor Fix
Update to the listed fixed versions of the affected firmwares:
| Fixed Version | Product Name |
| ------------- | ------------------------------------ |
| 1.2.1.100 | I/O System Field 0765-110x/0100-0000 |
| 1.2.7.100 | I/O System Field 0765-120x/0100-0000 |
| 1.2.7.103 | I/O System Field 0765-150x/0100-0000 |
| 1.2.1.102 | I/O System Field 0765-2101/0100-0000 |
| 1.2.5.101 | I/O System Field 0765-2102/0100-0000 |
| 1.2.1.100 | I/O System Field 0765-410x/0100-0000 |
| 1.2.7.100 | I/O System Field 0765-420x/0100-0000 |
| 1.2.7.103 | I/O System Field 0765-450x/0100-0000 |
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-32001 | — | ||
| Unresolved product id: CSAFPID-32002 | — | ||
| Unresolved product id: CSAFPID-32003 | — | ||
| Unresolved product id: CSAFPID-32004 | — | ||
| Unresolved product id: CSAFPID-32005 | — | ||
| Unresolved product id: CSAFPID-32006 | — | ||
| Unresolved product id: CSAFPID-32007 | — | ||
| Unresolved product id: CSAFPID-32008 | — |
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31016 | — |
References
5 references
Acknowledgments
CERTVDE
certvde.com/en/
{
"document": {
"acknowledgments": [
{
"organization": "CERTVDE",
"summary": "coordination.",
"urls": [
"https://certvde.com/en/"
]
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "Certain devices in the WAGO System I/O Field series enable an internal diagnostic capability during the initial stages of system startup. This behavior, which is not part of the publicly documented feature set, briefly allows access to system functions before the main operating environment becomes fully active. Under specific conditions, this could permit interactions with system components that are normally protected during regular operation.",
"title": "Summary"
},
{
"category": "description",
"text": "If network access is available during the early startup phase, an external party may be able to influence device behavior in ways not intended for routine operation. This could potentially affect system integrity or configuration prior to the full initialization of security mechanisms.",
"title": "Impact"
},
{
"category": "description",
"text": "Update to the listed fixed versions of the affected firmwares:\n\n| Fixed Version | Product Name |\n| ------------- | ------------------------------------ |\n| 1.2.1.100 | I/O System Field 0765-110x/0100-0000 |\n| 1.2.7.100 | I/O System Field 0765-120x/0100-0000 |\n| 1.2.7.103 | I/O System Field 0765-150x/0100-0000 |\n| 1.2.1.102 | I/O System Field 0765-2101/0100-0000 |\n| 1.2.5.101 | I/O System Field 0765-2102/0100-0000 |\n| 1.2.1.100 | I/O System Field 0765-410x/0100-0000 |\n| 1.2.7.100 | I/O System Field 0765-420x/0100-0000 |\n| 1.2.7.103 | I/O System Field 0765-450x/0100-0000 |\n",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@wago.com",
"name": "WAGO GmbH \u0026 Co. KG",
"namespace": "https://www.wago.com/psirt"
},
"references": [
{
"category": "self",
"summary": "WAGO PSIRT",
"url": "https://www.wago.com/de-en/automation-technology/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for WAGO",
"url": "https://certvde.com/de/advisories/vendor/wago/"
},
{
"category": "self",
"summary": "VDE-2026-031: WAGO: Early-Boot Diagnostic Exposure in WAGO System I/O Field Devices - HTML",
"url": "https://certvde.com/en/advisories/VDE-2026-031"
},
{
"category": "self",
"summary": "VDE-2026-031: WAGO: Early-Boot Diagnostic Exposure in WAGO System I/O Field Devices - CSAF",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-031.json"
}
],
"title": "WAGO: Early-Boot Diagnostic Exposure in WAGO System I/O Field Devices",
"tracking": {
"aliases": [
"VDE-2026-031"
],
"current_release_date": "2026-07-13T07:00:00.000Z",
"generator": {
"date": "2026-07-10T11:48:52.089Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.44"
}
},
"id": "VDE-2026-031",
"initial_release_date": "2026-07-13T07:00:00.000Z",
"revision_history": [
{
"date": "2026-07-13T07:00:00.000Z",
"number": "1.0.0",
"summary": "Release version."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "0765-110x/0100-0000",
"product": {
"name": "I/O System Field 0765-110x/0100-0000",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"0765-110?/0100-0000"
]
}
}
},
{
"category": "product_name",
"name": "0765-120x/0100-0000",
"product": {
"name": "I/O System Field 0765-120x/0100-0000",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"0765-120?/0100-0000"
]
}
}
},
{
"category": "product_name",
"name": "0765-150x/0100-0000",
"product": {
"name": "I/O System Field 0765-150x/0100-0000",
"product_id": "CSAFPID-11003",
"product_identification_helper": {
"model_numbers": [
"0765-150?/0100-0000"
]
}
}
},
{
"category": "product_name",
"name": "0765-2101/0100-0000",
"product": {
"name": "I/O System Field 0765-2101/0100-0000",
"product_id": "CSAFPID-11004",
"product_identification_helper": {
"model_numbers": [
"0765-210?/0100-0000"
],
"serial_numbers": [
"0765-2101/0100-0000"
]
}
}
},
{
"category": "product_name",
"name": "0765-2102/0100-0000",
"product": {
"name": "I/O System Field 0765-2102/0100-0000",
"product_id": "CSAFPID-11005",
"product_identification_helper": {
"model_numbers": [
"0765-2102/0100-0000"
]
}
}
},
{
"category": "product_name",
"name": "0765-410x/0100-0000",
"product": {
"name": "I/O System Field 0765-410x/0100-0000",
"product_id": "CSAFPID-11006",
"product_identification_helper": {
"model_numbers": [
"0765-410?/0100-0000"
]
}
}
},
{
"category": "product_name",
"name": "0765-420x/0100-0000",
"product": {
"name": "I/O System Field 0765-420x/0100-0000",
"product_id": "CSAFPID-11007",
"product_identification_helper": {
"model_numbers": [
"0765-420?/0100-0000"
]
}
}
},
{
"category": "product_name",
"name": "0765-450x/0100-0000",
"product": {
"name": "I/O System Field 0765-450x/0100-0000",
"product_id": "CSAFPID-11008",
"product_identification_helper": {
"model_numbers": [
"0765-450?/0100-0000"
]
}
}
}
],
"category": "product_family",
"name": "I/O System Field"
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003e=1.0.0.0|\u003c1.2.1.100",
"product": {
"name": "Firmware \u003c1.2.1.100",
"product_id": "CSAFPID-21002",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:field_profinet:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "1.2.1.100",
"product": {
"name": "Firmware 1.2.1.100",
"product_id": "CSAFPID-22001",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:field_profinet:1.2.1.100:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version_range",
"name": "vers:generic/\u003e=1.0.0.0|\u003c1.2.7.100",
"product": {
"name": "Firmware \u003c1.2.7.100",
"product_id": "CSAFPID-21004",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:field_profinet:1.2.1.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "1.2.7.100",
"product": {
"name": "Firmware 1.2.7.100",
"product_id": "CSAFPID-22002",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:field_ethercat:1.2.7.100:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version_range",
"name": "vers:generic/\u003e=1.0.0.0|\u003c1.2.7.103",
"product": {
"name": "Firmware \u003c1.2.7.103",
"product_id": "CSAFPID-21006",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:field_profinet:1.2.1.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "1.2.7.103",
"product": {
"name": "Firmware 1.2.7.103",
"product_id": "CSAFPID-22003",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:field_ethernet_ip:1.2.7.103:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version_range",
"name": "vers:generic/\u003e=1.0.0.0|\u003c1.2.1.102",
"product": {
"name": "Firmware \u003c1.2.1.102",
"product_id": "CSAFPID-21008",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:field_profinet:1.2.1.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "1.2.1.102",
"product": {
"name": "Firmware 1.2.1.102",
"product_id": "CSAFPID-22004",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:field_profinet:1.2.1.102:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version_range",
"name": "vers:generic/\u003e=1.0.0.0|\u003c1.2.5.101",
"product": {
"name": "Firmware \u003c1.2.5.101",
"product_id": "CSAFPID-21010",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:field_profinet:1.2.1.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "1.2.5.101",
"product": {
"name": "Firmware 1.2.5.101",
"product_id": "CSAFPID-22005",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:field_profinet:1.2.5.101:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "WAGO"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31002",
"CSAFPID-31004",
"CSAFPID-31006",
"CSAFPID-31008",
"CSAFPID-31010",
"CSAFPID-31012",
"CSAFPID-31014",
"CSAFPID-31016"
],
"summary": "Affected devices"
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008"
],
"summary": "Fixed devices"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c1.2.1.100 installed on I/O System Field 0765-110x/0100-0000",
"product_id": "CSAFPID-31002",
"product_identification_helper": {
"model_numbers": [
"0765-110?/0100-0000"
]
}
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.2.1.100 installed on I/O System Field 0765-110x/0100-0000",
"product_id": "CSAFPID-32001",
"product_identification_helper": {
"model_numbers": [
"0765-110?/0100-0000"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c1.2.7.100 installed on I/O System Field 0765-120x/0100-0000",
"product_id": "CSAFPID-31004",
"product_identification_helper": {
"model_numbers": [
"0765-120?/0100-0000"
]
}
},
"product_reference": "CSAFPID-21004",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.2.7.100 installed on I/O System Field 0765-120x/0100-0000",
"product_id": "CSAFPID-32002",
"product_identification_helper": {
"model_numbers": [
"0765-120?/0100-0000"
]
}
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c1.2.7.103 installed on I/O System Field 0765-150x/0100-0000",
"product_id": "CSAFPID-31006",
"product_identification_helper": {
"model_numbers": [
"0765-150?/0100-0000"
]
}
},
"product_reference": "CSAFPID-21006",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.2.7.103 installed on I/O System Field 0765-150x/0100-0000",
"product_id": "CSAFPID-32003",
"product_identification_helper": {
"model_numbers": [
"0765-150?/0100-0000"
]
}
},
"product_reference": "CSAFPID-22003",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c1.2.1.102 installed on I/O System Field 0765-2101/0100-0000",
"product_id": "CSAFPID-31008",
"product_identification_helper": {
"model_numbers": [
"0765-2101/0100-0000"
]
}
},
"product_reference": "CSAFPID-21008",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.2.1.102 installed on I/O System Field 0765-2101/0100-0000",
"product_id": "CSAFPID-32004",
"product_identification_helper": {
"model_numbers": [
"0765-2101/0100-0000"
]
}
},
"product_reference": "CSAFPID-22004",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c1.2.5.101 installed on I/O System Field 0765-2102/0100-0000",
"product_id": "CSAFPID-31010",
"product_identification_helper": {
"model_numbers": [
"0765-2102/0100-0000"
]
}
},
"product_reference": "CSAFPID-21010",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.2.5.101 installed on I/O System Field 0765-2102/0100-0000",
"product_id": "CSAFPID-32005",
"product_identification_helper": {
"model_numbers": [
"0765-2102/0100-0000"
]
}
},
"product_reference": "CSAFPID-22005",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c1.2.1.100 installed on I/O System Field 0765-410x/0100-0000",
"product_id": "CSAFPID-31012",
"product_identification_helper": {
"model_numbers": [
"0765-410?/0100-0000"
]
}
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.2.1.100 installed on I/O System Field 0765-410x/0100-0000",
"product_id": "CSAFPID-32006",
"product_identification_helper": {
"model_numbers": [
"0765-410?/0100-0000"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c1.2.7.100 installed on I/O System Field 0765-420x/0100-0000",
"product_id": "CSAFPID-31014",
"product_identification_helper": {
"model_numbers": [
"0765-420?/0100-0000"
]
}
},
"product_reference": "CSAFPID-21004",
"relates_to_product_reference": "CSAFPID-11007"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.2.7.100 installed on I/O System Field 0765-420x/0100-0000",
"product_id": "CSAFPID-32007",
"product_identification_helper": {
"model_numbers": [
"0765-420?/0100-0000"
]
}
},
"product_reference": "CSAFPID-22002",
"relates_to_product_reference": "CSAFPID-11007"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c1.2.7.103 installed on I/O System Field 0765-450x/0100-0000",
"product_id": "CSAFPID-31016",
"product_identification_helper": {
"model_numbers": [
"0765-450?/0100-0000"
]
}
},
"product_reference": "CSAFPID-21006",
"relates_to_product_reference": "CSAFPID-11008"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 1.2.7.103 installed on I/O System Field 0765-450x/0100-0000",
"product_id": "CSAFPID-32008",
"product_identification_helper": {
"model_numbers": [
"0765-450?/0100-0000"
]
}
},
"product_reference": "CSAFPID-22003",
"relates_to_product_reference": "CSAFPID-11008"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-4769",
"cwe": {
"id": "CWE-912",
"name": "Hidden Functionality"
},
"notes": [
{
"category": "description",
"text": "Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an unauthenticated remote attacker can gain access to the internal system processes, resulting in full system compromise.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002",
"CSAFPID-32003",
"CSAFPID-32004",
"CSAFPID-32005",
"CSAFPID-32006",
"CSAFPID-32007",
"CSAFPID-32008"
],
"known_affected": [
"CSAFPID-31002",
"CSAFPID-31004",
"CSAFPID-31006",
"CSAFPID-31008",
"CSAFPID-31010",
"CSAFPID-31012",
"CSAFPID-31014",
"CSAFPID-31016"
]
},
"references": [
{
"summary": "CVSS v4.0 Score: 9.3 / Critical",
"url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Update to the listed fixed versions of the affected firmwares:\n\n| Fixed Version | Product Name |\n| ------------- | ------------------------------------ |\n| 1.2.1.100 | I/O System Field 0765-110x/0100-0000 |\n| 1.2.7.100 | I/O System Field 0765-120x/0100-0000 |\n| 1.2.7.103 | I/O System Field 0765-150x/0100-0000 |\n| 1.2.1.102 | I/O System Field 0765-2101/0100-0000 |\n| 1.2.5.101 | I/O System Field 0765-2102/0100-0000 |\n| 1.2.1.100 | I/O System Field 0765-410x/0100-0000 |\n| 1.2.7.100 | I/O System Field 0765-420x/0100-0000 |\n| 1.2.7.103 | I/O System Field 0765-450x/0100-0000 |\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31002",
"CSAFPID-31004",
"CSAFPID-31006",
"CSAFPID-31008",
"CSAFPID-31010",
"CSAFPID-31012",
"CSAFPID-31014",
"CSAFPID-31016"
]
}
],
"title": "Unauthenticated Access to Internal Diagnostic Interface"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…