VDE-2025-095
Vulnerability from csaf_wagogmbhcokg - Published: 2025-12-10 10:00 - Updated: 2026-01-19 08:00Summary
WAGO: Vulnerabilities in WAGO Industrial-Managed Switches
Severity
High
Notes
Summary: Two remote stack buffer overflow vulnerabilities were discovered in WAGO industrial switches. These issues originate from unsafe input handling in custom HTTP request parsing functions within the lighttpd binary. The affected binary lacks modern security features such as PIE and RELRO, increasing the risk of successful exploitation.
Impact: The vulnerabilities are exploitable without authentication and may allow remote code execution or cause denial of service. Exploitation can disable the web interface until manual intervention, as no automatic recovery mechanisms are in place.
Remediation: Please update your devices to the specified fixed firmware version 02.64.
An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.
9.8 (Critical)
Vendor Fix
Please update your devices to the specified fixed firmware version.
An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.
9.8 (Critical)
Vendor Fix
Please update your devices to the specified fixed firmware version.
References
Acknowledgments
CERT@VDE
certvde.com
The Cyber-Defence Campus of armasuisse S+T
Daniel Hulliger
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Daniel Hulliger"
],
"organization": "The Cyber-Defence Campus of armasuisse S+T",
"summary": "reporting"
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "High"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Two remote stack buffer overflow vulnerabilities were discovered in WAGO industrial switches. These issues originate from unsafe input handling in custom HTTP request parsing functions within the lighttpd binary. The affected binary lacks modern security features such as PIE and RELRO, increasing the risk of successful exploitation.",
"title": "Summary"
},
{
"category": "description",
"text": "The vulnerabilities are exploitable without authentication and may allow remote code execution or cause denial of service. Exploitation can disable the web interface until manual intervention, as no automatic recovery mechanisms are in place.",
"title": "Impact"
},
{
"category": "description",
"text": "Please update your devices to the specified fixed firmware version 02.64.",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@wago.com",
"name": "WAGO GmbH \u0026 Co. KG",
"namespace": "https://www.wago.com/psirt"
},
"references": [
{
"category": "self",
"summary": "WAGO PSIRT",
"url": "https://www.wago.com/de-en/automation-technology/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for WAGO",
"url": "https://certvde.com/de/advisories/vendor/wago/"
},
{
"category": "self",
"summary": "VDE-2025-095: WAGO: Vulnerabilities in WAGO Industrial-Managed Switches - HTML",
"url": "https://certvde.com/en/advisories/VDE-2025-095"
},
{
"category": "self",
"summary": "VDE-2025-095: WAGO: Vulnerabilities in WAGO Industrial-Managed Switches - CSAF",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-095.json"
}
],
"title": "WAGO: Vulnerabilities in WAGO Industrial-Managed Switches",
"tracking": {
"aliases": [
"VDE-2025-095"
],
"current_release_date": "2026-01-19T08:00:00.000Z",
"generator": {
"date": "2026-01-15T10:43:12.583Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.42"
}
},
"id": "VDE-2025-095",
"initial_release_date": "2025-12-10T10:00:00.000Z",
"revision_history": [
{
"date": "2025-12-10T10:00:00.000Z",
"number": "1.0.0",
"summary": "Initial release."
},
{
"date": "2025-12-11T09:00:00.000Z",
"number": "1.1.0",
"summary": "Updated CVSS-Scores"
},
{
"date": "2026-01-19T08:00:00.000Z",
"number": "1.2.0",
"summary": "Updated model numbers."
}
],
"status": "final",
"version": "1.2.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "0852-1322",
"product": {
"name": "Industrial-Managed-Switches 0852-1322",
"product_id": "CSAFPID-11001",
"product_identification_helper": {
"model_numbers": [
"0852-1322"
]
}
}
},
{
"category": "product_name",
"name": "0852-1328",
"product": {
"name": "Industrial-Managed-Switches 0852-1328",
"product_id": "CSAFPID-11002",
"product_identification_helper": {
"model_numbers": [
"0852-1328"
]
}
}
}
],
"category": "product_name",
"name": "Indsutrial-Managed-Switches"
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:generic/\u003e=01.00|\u003c02.64",
"product": {
"name": "Firmware \u003c02.64",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version",
"name": "02.64",
"product": {
"name": "Firmware 02.64",
"product_id": "CSAFPID-22001",
"product_identification_helper": {
"cpe": "cpe:2.3:o:wago:0852_13xx_firmware:02.64:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "WAGO"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002"
],
"summary": "Affected products"
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-32001",
"CSAFPID-32002"
],
"summary": "Fixed products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c02.64 installed on Industrial-Managed-Switches 0852-1322",
"product_id": "CSAFPID-31001",
"product_identification_helper": {
"model_numbers": [
"0852-1322"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c02.64 installed on Industrial-Managed-Switches 0852-1328",
"product_id": "CSAFPID-31002",
"product_identification_helper": {
"model_numbers": [
"0852-1328"
]
}
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 02.64 installed on Industrial-Managed-Switches 0852-1322",
"product_id": "CSAFPID-32001",
"product_identification_helper": {
"model_numbers": [
"0852-1322"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware 02.64 installed on Industrial-Managed-Switches 0852-1328",
"product_id": "CSAFPID-32002",
"product_identification_helper": {
"model_numbers": [
"0852-1328"
]
}
},
"product_reference": "CSAFPID-22001",
"relates_to_product_reference": "CSAFPID-11002"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-41730",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "details",
"text": "A remote stack buffer overflow vulnerability was identified in WAGO 8-Port Industrial-Managed Switches. The vulnerability reside in vendor-added HTTP request parsing function check_account() within the lighttpd binary. The function use unsafe sscanf calls to parse cookie headers, allowing attackers to write arbitrary data into fixed-size stack buffers.\nThe affected binary is not compiled as a Position Independent Executable (PIE), and lacks other modern binary protections such as RELRO and stack canaries. As a result, code addresses are predictable and exploitation is significantly easier. Since the vulnerable function is executed before authentication, the flaws are remotely exploitable without prior access.",
"title": "CVE Details"
},
{
"category": "description",
"text": "An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-25T14:00:00.000Z",
"details": "Please update your devices to the specified fixed firmware version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002"
]
}
],
"title": "Stack-based buffer overflow via unsafe sscanf in check_account()"
},
{
"cve": "CVE-2025-41732",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"notes": [
{
"category": "description",
"text": "An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.",
"title": "CVE Description"
},
{
"category": "details",
"text": "A remote stack buffer overflow vulnerability was identified in WAGO 8-Port Industrial-Managed Switches. The vulnerability reside in vendor-added HTTP request parsing function check_cookie() within the lighttpd binary. The function use unsafe sscanf calls to parse cookie headers, allowing attackers to write arbitrary data into fixed-size stack buffers. The affected binary is not compiled as a Position Independent Executable (PIE), and lacks other modern binary protections such as RELRO and stack canaries. As a result, code addresses are predictable and exploitation is significantly easier. Since the vulnerable function is executed before authentication, the flaws are remotely exploitable without prior access.",
"title": "CVE Details"
}
],
"product_status": {
"fixed": [
"CSAFPID-32001",
"CSAFPID-32002"
],
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2025-09-25T14:00:00.000Z",
"details": "Please update your devices to the specified fixed firmware version.",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002"
]
}
],
"title": "Stack-based buffer overflow via unsafe sscanf in check_cookie()"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…