cbcvebase.
CVE-2026-3587
published 2026-03-23

CVE-2026-3587: An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device.

PriorityP273critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.68%
47.7th percentile
An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device.

Affected

16 ranges
VendorProductVersion rangeFixed in
wagoindustrial_managed_switch_852-1305>= 0.0.0 < V1.2.0.S0V1.2.0.S0
wagoindustrial_managed_switch_852-1305-000-001>= 0.0.0 < V1.2.0.S0V1.2.0.S0
wagoindustrial_managed_switch_852-1505>= 0.0.0 < V1.1.9.S0V1.1.9.S0
wagoindustrial_managed_switch_852-1505-000-001>= 0.0.0 < V1.2.0.S0V1.2.0.S0
wagoindustrial_managed_switch_852-1605>= 0.0.0 < V1.2.5.S0V1.2.5.S0
wagoindustrial_managed_switch_852-303>= 0.0.0 < V1.2.8.S0V1.2.8.S0
wagoindustrial_managed_switch_852-602>= 0.0.0 < V1.0.6.S0V1.0.6.S0
wagoindustrial_managed_switch_852-603>= 0.0.0 < V1.0.6.S0V1.0.6.S0
wagolean_managed_switch_852-1812>= 0.0.0 < V1.2.1.S0V1.2.1.S0
wagolean_managed_switch_852-1812-010-000>= 0.0.0 < V1.2.1.S0V1.2.1.S0
wagolean_managed_switch_852-1813>= 0.0.0 < V1.2.1.S0V1.2.1.S0
wagolean_managed_switch_852-1813-000-001>= 0.0.0 < V1.2.3.S0V1.2.3.S0
wagolean_managed_switch_852-1813-010-000>= 0.0.0 < V1.2.1.S0V1.2.1.S0
wagolean_managed_switch_852-1813_010-001>= 0.0.0 < V1.2.1.S0V1.2.1.S0
wagolean_managed_switch_852-1816>= 0.0.0 < V1.2.1.S0V1.2.1.S0
wagolean_managed_switch_852-1816-010-000>= 0.0.0 < V1.2.1.S0V1.2.1.S0

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exploits a hidden function accessible via the CLI prompt on WAGO Industrial Managed Switches; monitor for unexpected or undocumented CLI commands being issued over SSH or Telnet sessions to these devices.
  • Monitor and alert on SSH and Telnet connections to WAGO Industrial Managed Switches (852-series hardware); unauthenticated CLI access via these protocols is the primary attack vector for CVE-2026-3587.
  • For Industrial Managed Switch models (852-303, 852-1305, 852-1305/000-001, 852-1505/000-001, 852-1505, 852-602, 852-603, 852-1605), if SSH/Telnet cannot be disabled, flag any remote CLI sessions as suspicious since the CLI should only be accessible locally via RS232 as a mitigation.
  • ·All listed WAGO 852-series firmware versions at or below the specified thresholds are vulnerable; the attack is unauthenticated, meaning no credentials are required to reach the hidden CLI function.
  • ·WAGO Firmware version V1.2.1.S1 on hardware 852-1813/010-001 is listed as both affected and partially fixed — verify exact sub-version (S0 vs S1) when assessing exposure.
  • ·Disabling SSH and Telnet is only a full mitigation for Lean Managed Switch models; for Industrial Managed Switch models it only reduces (not eliminates) the attack vector, as local RS232 CLI access remains.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.