ctipilot.ch
← Back to the live brief
NOTABLECVE-2026-4769NATOA2vulnerability

CVE-2026-4769 — WAGO I/O System Field: undocumented early-boot interface allows unauthenticated full compromise (CVSS 9.8)

discovered 2026-07-13 12:50 UTCrun 2026-07-13T1212Z-intel2 sourcessingle-source

CERT@VDE — Germany's OT/ICS coordinating CERT, acting as CVE Numbering Authority for the vendor — published advisory VDE-2026-031 / CVE-2026-4769 on 2026-07-13 for WAGO I/O System Field series coupler devices (models 0765-110x, 0765-120x, 0765-150x, 0765-2101, 0765-2102, 0765-410x, 0765-420x, 0765-450x, all variant /0100-0000) (CERT@VDE, 2026-07-13). Certain devices activate an undocumented internal diagnostic capability during the initial boot sequence — functionality outside the publicly documented feature set — which is reachable without authentication for a brief window before the main operating environment and its security controls become fully active (CWE-912 Hidden Functionality). If an attacker has network access to the device during that early-boot window, they can interact with internal system processes normally protected during regular operation, which CERT@VDE describes as resulting in full system compromise. The advisory carries a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8), and the ENISA EU Vulnerability Database entry EUVD-2026-43297 lists a CVSS 4.0 base score of 9.3 (ENISA EUVD, 2026-07-13). No exploitation has been reported and EPSS is 0.0. WAGO has released fixed firmware for each affected model.

WAGO I/O System Field devices are modular fieldbus I/O couplers used in industrial automation and building-management deployments, including energy and water-utility OT environments in the constituency's additional sectors. The practical exploitability is bounded — an attacker must have network reachability to the device precisely during its early-boot window — but the impact if that condition is met is unauthenticated, full compromise of an operational field device, and OT patch cycles are slow, so the exposure can persist. Detection is best framed as OT network monitoring: correlate device power-cycle/reboot events (from maintenance logs or the device's own uptime telemetry) with any new inbound session to the device's management/diagnostic ports in the same time window — a connection arriving during a reboot, rather than steady-state operation, is the anomaly this vulnerability creates. Hardening: apply the per-model fixed firmware listed above and, until then, keep these couplers behind VLAN/ACL segmentation from any untrusted network segment, tightening reachability during planned maintenance reboots when the early-boot window is opened deliberately.

This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an unauthenticated remote attacker can gain access to the internal system processes, resulting in full system compromise.

CERT@VDE

ATT&CK mapping

1 technique mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.