An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise.
The vulnerability results from unsafe use of the sscanf() function within the check_cookie() function, which does not verify the length of input data before writing it to fixed-size buffers on the stack. An attacker can provide specially crafted data, causing arbitrary content to be written beyond the boundaries of the allocated buffer (stack-based buffer overflow, CWE-121, CWE-787). Stack overflow allows overwriting critical process control structures, leading to arbitrary code execution.
An attacker gains full control over the attacked device without needing any credentials, which includes the ability to read and modify configuration data, disrupt device operation, and use it as an entry point for further attacks on the industrial network.
Apply patches available from the manufacturer according to the references — detailed information about available firmware updates is contained in the CERT@VDE VDE-2025-095 advisory (https://certvde.com/de/advisories/VDE-2025-095). Until the update is applied, restrict network access to WAGO 0852 devices through network segmentation, firewall, or VPN, preventing access by unauthorized hosts.
WAGO 0852-1322 and WAGO 0852-1328 devices along with their firmware; specific firmware versions indicated in the manufacturer's references (CERT@VDE advisory VDE-2025-095).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWago 0852 1322
HWWagowszystkie wersjeWago 0852 1322 Firmware
OSWago< 02.64Wago 0852 1328
HWWagowszystkie wersjeWago 0852 1328 Firmware
OSWago< 02.64
Related vulnerabilities
Stack buffer overflow w urządzeniach Wago 0852 – pełne przejęcie urządzenia
WAGO 0852 — command injection w panelu zarządzania WWW (root RCE)
In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users an...
The configuration backend of the web-based management can be used by unauthenticated users, although only auth...
The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the s...