An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.
The vulnerability results from unsafe use of the sscanf function within the check_account() function – input data is not properly validated for length. An attacker can provide crafted input data that causes arbitrary data to be written beyond the boundaries of fixed-size buffers allocated on the stack (stack buffer overflow, CWE-121, CWE-787). Stack buffer overflow can be exploited to overwrite the return address or other critical control data, leading to arbitrary code execution on the device.
An attacker can gain full control over the vulnerable device (full device compromise), including the ability to execute arbitrary code with the privileges of the process handling the connection. Compromise of device confidentiality, integrity, and availability is possible.
Apply patches available from the manufacturer according to the references (advisory VDE-2025-095 available at https://certvde.com/de/advisories/VDE-2025-095). Until the update is deployed, it is recommended to restrict network access to vulnerable devices exclusively to trusted hosts through a firewall or network segmentation.
Wago 0852-1322 and Wago 0852-1328 devices (including their firmware); specific firmware versions indicated in the manufacturer's references.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWago 0852 1322
HWWagowszystkie wersjeWago 0852 1322 Firmware
OSWago< 02.64Wago 0852 1328
HWWagowszystkie wersjeWago 0852 1328 Firmware
OSWago< 02.64
Related vulnerabilities
Stack buffer overflow w urządzeniach WAGO 0852 — pełne przejęcie urządzenia
WAGO 0852 — command injection w panelu zarządzania WWW (root RCE)
In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users an...
The configuration backend of the web-based management can be used by unauthenticated users, although only auth...
The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the s...