ctipilot.ch

WAGO I/O System Field — undocumented early-boot diagnostic interface, unauthenticated full compromise (CWE-912)

cve · CVE-2026-4769 single-source

Coverage timeline
1
first 2026-07-13 → last 2026-07-13
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
1
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
WAGO I/O System Field 0765-110x/0100-0000WAGO I/O System Field 0765-120x/0100-0000WAGO I/O System Field 0765-150x/0100-0000WAGO I/O System Field 0765-2101/0100-0000WAGO I/O System Field 0765-2102/0100-0000WAGO I/O System Field 0765-410x/0100-0000WAGO I/O System Field 0765-420x/0100-0000WAGO I/O System Field 0765-450x/0100-0000

ATT&CK techniques

1 technique observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-13/wago-io-system-field-cve-2026-4769-early-boot-backdoor · ATT&CK page ↗

Story timeline

  1. 2026-07-13CVE-2026-4769 — WAGO I/O System Field: undocumented early-boot interface allows unauthenticated full compromise (CVSS 9.8)
    trending-vulnerabilitiesWAGO patches a hidden early-boot diagnostic interface in I/O System Field couplers that lets an unauthenticated remote attacker take full control

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • certvde.com1 (50%)
  • euvd.enisa.europa.eu1 (50%)

explore in graph

Entries about WAGO I/O System Field — undocumented early-boot diagnostic interface, unauthenticated full compromise (CWE-912) (1)

2026-07-13 · view entry permalink →

NOTABLECVE-2026-4769NATOA2

CVE-2026-4769 — WAGO I/O System Field: undocumented early-boot interface allows unauthenticated full compromise (CVSS 9.8)

CERT@VDE — Germany's OT/ICS coordinating CERT, acting as CVE Numbering Authority for the vendor — published advisory VDE-2026-031 / CVE-2026-4769 on 2026-07-13 for WAGO I/O System Field series coupler devices (models 0765-110x, 0765-120x, 0765-150x, 0765-2101, 0765-2102, 0765-410x, 0765-420x, 0765-450x, all variant /0100-0000) (CERT@VDE, 2026-07-13). Certain devices activate an undocumented internal diagnostic capability during the initial boot sequence — functionality outside the publicly documented feature set — which is reachable without authentication for a brief window before the main operating environment and its security controls become fully active (CWE-912 Hidden Functionality). If an attacker has network access to the device during that early-boot window, they can interact with internal system processes normally protected during regular operation, which CERT@VDE describes as resulting in full system compromise. The advisory carries a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8), and the ENISA EU Vulnerability Database entry EUVD-2026-43297 lists a CVSS 4.0 base score of 9.3 (ENISA EUVD, 2026-07-13). No exploitation has been reported and EPSS is 0.0. WAGO has released fixed firmware for each affected model.

WAGO I/O System Field devices are modular fieldbus I/O couplers used in industrial automation and building-management deployments, including energy and water-utility OT environments in the constituency's additional sectors. The practical exploitability is bounded — an attacker must have network reachability to the device precisely during its early-boot window — but the impact if that condition is met is unauthenticated, full compromise of an operational field device, and OT patch cycles are slow, so the exposure can persist. Detection is best framed as OT network monitoring: correlate device power-cycle/reboot events (from maintenance logs or the device's own uptime telemetry) with any new inbound session to the device's management/diagnostic ports in the same time window — a connection arriving during a reboot, rather than steady-state operation, is the anomaly this vulnerability creates. Hardening: apply the per-model fixed firmware listed above and, until then, keep these couplers behind VLAN/ACL segmentation from any untrusted network segment, tightening reachability during planned maintenance reboots when the early-boot window is opened deliberately.

This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an unauthenticated remote attacker can gain access to the internal system processes, resulting in full system compromise.

CERT@VDE
vulnerability13 Jul 12:50Zsingle-sourceOpen finding ↗