PatchSiren cyber security CVE debrief
CVE-2026-3587 WAGO CVE debrief
CVE-2026-3587 is a critical remote compromise issue affecting multiple WAGO industrial managed switch models in the 852 family. The advisory states that an unauthenticated attacker can exploit a hidden function in the CLI prompt to escape the restricted interface and reach root-level access, resulting in full device compromise. CISA’s CSAF republication ties the issue to WAGO GmbH & Co. KG industrial managed switches and lists fixed firmware versions for each affected model, along with a workaround to disable SSH and Telnet where possible.
- Vendor
- WAGO
- Product
- Hardware
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-23
- Original CVE updated
- 2026-03-26
- Advisory published
- 2026-03-23
- Advisory updated
- 2026-03-26
Who should care
OT/ICS defenders, plant network administrators, system integrators, and anyone operating WAGO 852-series industrial managed switches—especially where management access is reachable over IP or exposed beyond a tightly controlled maintenance network.
Technical summary
The source advisory describes a network-reachable, unauthenticated flaw in the device CLI path. Attackers can use a hidden CLI function to break out of the restricted interface and obtain elevated access, with the impact characterized as full device compromise. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0/Critical). Affected firmware is any version below the model-specific fixed releases listed in the advisory. The advisory also notes a workaround: disable SSH and Telnet to reduce the attack vector, leaving CLI access local via RS232 on the applicable devices.
Defensive priority
Immediate. This is a critical, unauthenticated network-accessible management-plane issue with high confidentiality, integrity, and availability impact. Prioritize rapid asset identification, exposure reduction, and firmware remediation on any affected WAGO managed switch that is reachable from non-trusted networks.
Recommended defensive actions
- Inventory all WAGO 852-series managed switches and confirm exact model and firmware version before making changes.
- Upgrade each affected device to the fixed firmware version listed in the vendor/CISA advisory for that model.
- If immediate patching is not possible, disable SSH and Telnet on the device to reduce the attack vector, as recommended in the source advisory.
- Restrict management-plane access to trusted maintenance networks only and verify that remote CLI access is not broadly exposed.
- Monitor for unexpected administrative access, configuration changes, and device restarts on affected switches until remediation is complete.
Evidence notes
All substantive claims in this debrief come from the supplied CISA CSAF source item and its referenced vendor/CERT VDE materials. The advisory explicitly identifies unauthenticated remote exploitation, a hidden CLI function, root/full compromise impact, affected WAGO 852-series switch models, fixed firmware versions, and the SSH/Telnet workaround. Published date context is taken from the provided CVE/source timeline: 2026-03-23 initial publication and 2026-03-26 modification/republication.
Official resources
-
CVE-2026-3587 CVE record
CVE.org
-
CVE-2026-3587 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory initially published 2026-03-23 and modified/republished 2026-03-26. Timing in this debrief uses the supplied CVE/source dates, not generation time.