Skip to content
Threat Feed
critical advisory

CVE-2026-4769: Unauthenticated Remote Access in WAGO System I/O Field Series

A critical vulnerability, CVE-2026-4769, in certain WAGO System I/O Field series devices allows an unauthenticated remote attacker to gain full system compromise by accessing an undocumented internal diagnostic capability during the initial startup sequence.

The CVE-2026-4769 vulnerability affects specific WAGO System I/O Field series devices, enabling an unauthenticated remote attacker to achieve full system compromise. During the initial startup phase, these devices briefly activate an internal diagnostic capability that is not officially documented. This functionality becomes remotely accessible without authentication for a short window, allowing an attacker to gain deep access to the internal system processes. The flaw, categorized as CWE-912 (Hidden Functionality), presents a significant risk to industrial control systems and operational technology (OT) environments, as it allows for complete control over affected devices. This vulnerability was published on July 13, 2026, by NVD based on an advisory from CERT VDE.

Attack Chain

  1. Reconnaissance: An attacker identifies vulnerable WAGO System I/O Field series devices on a network segment, potentially by scanning for specific device types or network services.
  2. Timing: The attacker monitors the target device's network activity to identify its startup sequence or waits for a reboot event.
  3. Initial Access: During the brief, unauthenticated window of the device's startup sequence, the attacker remotely connects to the exposed internal diagnostic capability.
  4. Exploitation: The attacker leverages the undocumented diagnostic functionality to gain access to internal system processes without requiring authentication.
  5. System Compromise: The attacker utilizes the gained access to achieve full control over the WAGO System I/O Field device.
  6. Impact (Potential): Depending on the attacker's objective, this control could lead to manipulating industrial processes, data exfiltration, or further lateral movement within the OT network.

Impact

Successful exploitation of CVE-2026-4769 leads to complete system compromise of the affected WAGO System I/O Field series devices. This allows an unauthenticated remote attacker to take full control, potentially disrupting critical industrial processes, manipulating operational data, or causing physical damage in industrial control system (ICS) environments. The vulnerability poses a severe threat to operational technology, as it could result in production downtime, safety hazards, and significant financial losses for organizations relying on these devices.

Recommendation

  • Patch CVE-2026-4769: Immediately update WAGO System I/O Field series devices to versions 1.2.1.100 or later for 0765-110x/0100-0000 and 0765-410x/0100-0000; to versions 1.2.7.100 or later for 0765-120x/0100-0000 and 0765-420x/0100-0000; to versions 1.2.7.103 or later for 0765-150x/0100-0000 and 0765-450x/0100-0000; to version 1.2.1.102 or later for 0765-2101/0100-0000; and to version 1.2.5.101 or later for 0765-2102/0100-0000.
  • Network Segmentation: Isolate WAGO System I/O Field series devices in critical network segments and apply strict firewall rules to restrict remote access, especially during device startup.
  • Consult Advisory: Refer to the CERT VDE advisory https://www.certvde.com/en/advisories/VDE-2026-031/ for further guidance and details regarding this vulnerability.