CVE-2026-3587
published 2026-03-23CVE-2026-3587: An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device.
PriorityP273critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.68%
47.7th percentile
An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wago | industrial_managed_switch_852-1305 | >= 0.0.0 < V1.2.0.S0 | V1.2.0.S0 |
| wago | industrial_managed_switch_852-1305-000-001 | >= 0.0.0 < V1.2.0.S0 | V1.2.0.S0 |
| wago | industrial_managed_switch_852-1505 | >= 0.0.0 < V1.1.9.S0 | V1.1.9.S0 |
| wago | industrial_managed_switch_852-1505-000-001 | >= 0.0.0 < V1.2.0.S0 | V1.2.0.S0 |
| wago | industrial_managed_switch_852-1605 | >= 0.0.0 < V1.2.5.S0 | V1.2.5.S0 |
| wago | industrial_managed_switch_852-303 | >= 0.0.0 < V1.2.8.S0 | V1.2.8.S0 |
| wago | industrial_managed_switch_852-602 | >= 0.0.0 < V1.0.6.S0 | V1.0.6.S0 |
| wago | industrial_managed_switch_852-603 | >= 0.0.0 < V1.0.6.S0 | V1.0.6.S0 |
| wago | lean_managed_switch_852-1812 | >= 0.0.0 < V1.2.1.S0 | V1.2.1.S0 |
| wago | lean_managed_switch_852-1812-010-000 | >= 0.0.0 < V1.2.1.S0 | V1.2.1.S0 |
| wago | lean_managed_switch_852-1813 | >= 0.0.0 < V1.2.1.S0 | V1.2.1.S0 |
| wago | lean_managed_switch_852-1813-000-001 | >= 0.0.0 < V1.2.3.S0 | V1.2.3.S0 |
| wago | lean_managed_switch_852-1813-010-000 | >= 0.0.0 < V1.2.1.S0 | V1.2.1.S0 |
| wago | lean_managed_switch_852-1813_010-001 | >= 0.0.0 < V1.2.1.S0 | V1.2.1.S0 |
| wago | lean_managed_switch_852-1816 | >= 0.0.0 < V1.2.1.S0 | V1.2.1.S0 |
| wago | lean_managed_switch_852-1816-010-000 | >= 0.0.0 < V1.2.1.S0 | V1.2.1.S0 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability exploits a hidden function accessible via the CLI prompt on WAGO Industrial Managed Switches; monitor for unexpected or undocumented CLI commands being issued over SSH or Telnet sessions to these devices. ↗
- →Monitor and alert on SSH and Telnet connections to WAGO Industrial Managed Switches (852-series hardware); unauthenticated CLI access via these protocols is the primary attack vector for CVE-2026-3587. ↗
- →For Industrial Managed Switch models (852-303, 852-1305, 852-1305/000-001, 852-1505/000-001, 852-1505, 852-602, 852-603, 852-1605), if SSH/Telnet cannot be disabled, flag any remote CLI sessions as suspicious since the CLI should only be accessible locally via RS232 as a mitigation. ↗
- ·All listed WAGO 852-series firmware versions at or below the specified thresholds are vulnerable; the attack is unauthenticated, meaning no credentials are required to reach the hidden CLI function. ↗
- ·WAGO Firmware version V1.2.1.S1 on hardware 852-1813/010-001 is listed as both affected and partially fixed — verify exact sub-version (S0 vs S1) when assessing exposure. ↗
- ·Disabling SSH and Telnet is only a full mitigation for Lean Managed Switch models; for Industrial Managed Switch models it only reduces (not eliminates) the attack vector, as local RS232 CLI access remains. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
WAGO GmbH & Co. KG Industrial Managed Switches
cisa_ics·2026-03-26·CVSS 10.0
[CRITICAL] WAGO GmbH & Co. KG Industrial Managed Switches
ICS Advisory
##
WAGO GmbH & Co. KG Industrial Managed Switches
Release DateMarch 26, 2026
Alert CodeICSA-26-085-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device.
The following versions of WAGO GmbH & Co. KG Industrial Managed Switches are affected:
- WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1812 (CVE-2026-3587)
- WAGO Firmware versions prior to V1.2.1.S0 WAGO_Hardware_852-1813 (CVE-2026-3587)
- WAGO Firmware versions prior to V1.2.3.S0 WAGO_Hardware_852-1813/000-001 (CVE-2026-3587)
- WAGO Firmware versions prior to V1.
GHSA
GHSA-4r7q-86hg-h98x: An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface and gain root access to the unde
ghsa_unreviewed·2026-03-23
CVE-2026-3587 [CRITICAL] CWE-912 GHSA-4r7q-86hg-h98x: An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface and gain root access to the unde
An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface and gain root access to the underlying Linux based OS, leading to full compromise of the device.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-03-23
Published