2026-07-13 · view entry permalink →
CVE-2026-4769 — WAGO I/O System Field: undocumented early-boot interface allows unauthenticated full compromise (CVSS 9.8)
CERT@VDE — Germany's OT/ICS coordinating CERT, acting as CVE Numbering Authority for the vendor — published advisory VDE-2026-031 / CVE-2026-4769 on 2026-07-13 for WAGO I/O System Field series coupler devices (models 0765-110x, 0765-120x, 0765-150x, 0765-2101, 0765-2102, 0765-410x, 0765-420x, 0765-450x, all variant /0100-0000) (CERT@VDE, 2026-07-13). Certain devices activate an undocumented internal diagnostic capability during the initial boot sequence — functionality outside the publicly documented feature set — which is reachable without authentication for a brief window before the main operating environment and its security controls become fully active (CWE-912 Hidden Functionality). If an attacker has network access to the device during that early-boot window, they can interact with internal system processes normally protected during regular operation, which CERT@VDE describes as resulting in full system compromise. The advisory carries a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8), and the ENISA EU Vulnerability Database entry EUVD-2026-43297 lists a CVSS 4.0 base score of 9.3 (ENISA EUVD, 2026-07-13). No exploitation has been reported and EPSS is 0.0. WAGO has released fixed firmware for each affected model.
WAGO I/O System Field devices are modular fieldbus I/O couplers used in industrial automation and building-management deployments, including energy and water-utility OT environments in the constituency's additional sectors. The practical exploitability is bounded — an attacker must have network reachability to the device precisely during its early-boot window — but the impact if that condition is met is unauthenticated, full compromise of an operational field device, and OT patch cycles are slow, so the exposure can persist. Detection is best framed as OT network monitoring: correlate device power-cycle/reboot events (from maintenance logs or the device's own uptime telemetry) with any new inbound session to the device's management/diagnostic ports in the same time window — a connection arriving during a reboot, rather than steady-state operation, is the anomaly this vulnerability creates. Hardening: apply the per-model fixed firmware listed above and, until then, keep these couplers behind VLAN/ACL segmentation from any untrusted network segment, tightening reachability during planned maintenance reboots when the early-boot window is opened deliberately.
This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an unauthenticated remote attacker can gain access to the internal system processes, resulting in full system compromise.