WAGO Industrial Switches: Understanding CVE-2026-22903, CVE-2026-22904, and CVE-2026-22906
What Is WAGO?
WAGO is a German manufacturer known for industrial electrical and automation equipment. In factories and critical infrastructure environments, their products are commonly used inside control cabinets and network racks.
Beyond their well-known electrical connectors, WAGO produces:
- Industrial Ethernet switches
- PLCs (Programmable Logic Controllers)
- I/O modules
- Industrial controllers and automation systems
The vulnerabilities in question affect WAGO Industrial Managed Switches, specifically models such as 0852-1322 and 0852-1328 running firmware 2.64 or earlier.
Unlike a typical office network switch, industrial switches are often deployed in operational technology environments such as manufacturing lines, power facilities, transportation systems, and building automation. That makes security issues potentially more serious because they can impact physical processes, not just data.
The Three Critical CVEs
All three vulnerabilities carry a CVSS score of 9.8, which means they are rated Critical. This rating indicates that they are remotely exploitable, require no authentication, and can significantly impact confidentiality, integrity, and availability.
CVE-2026-22903
This vulnerability is a stack-based buffer overflow in the web management interface of the affected switches. It can be triggered by sending a specially crafted HTTP request containing an overly long SESSIONID cookie.
If successfully exploited, the vulnerability can crash the web service. In certain conditions, it may also allow remote code execution. That means an attacker could potentially take control of the device without needing valid credentials, as long as they can reach the management interface over the network.
CVE-2026-22904
This issue is another stack buffer overflow in the same web interface. It is caused by improper length validation when parsing cookie fields, including TRACKID.
Like CVE-2026-22903, it can be exploited remotely and without authentication. The most immediate impact is denial of service by crashing the web service, but depending on the device protections and exploit reliability, remote code execution may also be possible.
Because both vulnerabilities affect the embedded HTTP server, they expose the administrative interface of the switch to compromise.
CVE-2026-22906
This vulnerability involves the use of a hard-coded cryptographic key within the firmware.
The switch stores user credentials using AES encryption in ECB mode, but the encryption key is embedded directly in the firmware. If an attacker obtains a configuration file from the device, they can extract the hard-coded key and decrypt the stored credentials offline.
This could expose administrative usernames and passwords in plaintext. On its own, that requires access to the configuration file. However, when combined with other vulnerabilities such as authentication bypass or file access issues, the risk becomes much more serious.
Why This Matters
Industrial managed switches are central components in OT networks. They connect PLCs, sensors, controllers, and supervisory systems. If a switch is compromised, an attacker could:
- Disrupt network communications
- Modify configurations
- Intercept or redirect traffic
- Potentially pivot deeper into the operational network
In environments like manufacturing or energy, that can translate into production downtime or operational disruption.
Affected Devices and Mitigation
The vulnerabilities affect WAGO Industrial Managed Switches including models 0852-1322 and 0852-1328 running firmware version 2.64 or earlier.
Recommended actions include:
- Upgrade to firmware 2.65 or later
- Restrict access to the web management interface
- Segment OT networks from corporate IT networks
- Monitor for abnormal HTTP traffic targeting management interfaces
- Treat configuration files as sensitive assets
Final Thoughts
These three CVEs highlight a common pattern in industrial device security: insecure web management interfaces and weak credential protection mechanisms. In operational environments, infrastructure devices are often trusted implicitly, which makes vulnerabilities at this layer especially dangerous.