{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/wago/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4769"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["0765-110x/0100-0000 (versions \u003c 1.2.1.100)","0765-120x/0100-0000 (versions \u003c 1.2.7.100)","0765-150x/0100-0000 (versions \u003c 1.2.7.103)","0765-2101/0100-0000 (versions \u003c 1.2.1.102)","0765-2102/0100-0000 (versions \u003c 1.2.5.101)","0765-410x/0100-0000 (versions \u003c 1.2.1.100)","0765-420x/0100-0000 (versions \u003c 1.2.7.100)","0765-450x/0100-0000 (versions \u003c 1.2.7.103)"],"_cs_severities":["critical"],"_cs_tags":["ics","ot","critical-vulnerability","unauthenticated-access","remote-code-execution","firmware-vulnerability"],"_cs_type":"advisory","_cs_vendors":["WAGO"],"content_html":"\u003cp\u003eThe CVE-2026-4769 vulnerability affects specific WAGO System I/O Field series devices, enabling an unauthenticated remote attacker to achieve full system compromise. During the initial startup phase, these devices briefly activate an internal diagnostic capability that is not officially documented. This functionality becomes remotely accessible without authentication for a short window, allowing an attacker to gain deep access to the internal system processes. The flaw, categorized as CWE-912 (Hidden Functionality), presents a significant risk to industrial control systems and operational technology (OT) environments, as it allows for complete control over affected devices. This vulnerability was published on July 13, 2026, by NVD based on an advisory from CERT VDE.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance\u003c/strong\u003e: An attacker identifies vulnerable WAGO System I/O Field series devices on a network segment, potentially by scanning for specific device types or network services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTiming\u003c/strong\u003e: The attacker monitors the target device's network activity to identify its startup sequence or waits for a reboot event.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: During the brief, unauthenticated window of the device's startup sequence, the attacker remotely connects to the exposed internal diagnostic capability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation\u003c/strong\u003e: The attacker leverages the undocumented diagnostic functionality to gain access to internal system processes without requiring authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Compromise\u003c/strong\u003e: The attacker utilizes the gained access to achieve full control over the WAGO System I/O Field device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Potential)\u003c/strong\u003e: Depending on the attacker's objective, this control could lead to manipulating industrial processes, data exfiltration, or further lateral movement within the OT network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4769 leads to complete system compromise of the affected WAGO System I/O Field series devices. This allows an unauthenticated remote attacker to take full control, potentially disrupting critical industrial processes, manipulating operational data, or causing physical damage in industrial control system (ICS) environments. The vulnerability poses a severe threat to operational technology, as it could result in production downtime, safety hazards, and significant financial losses for organizations relying on these devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-4769\u003c/strong\u003e: Immediately update WAGO System I/O Field series devices to versions 1.2.1.100 or later for 0765-110x/0100-0000 and 0765-410x/0100-0000; to versions 1.2.7.100 or later for 0765-120x/0100-0000 and 0765-420x/0100-0000; to versions 1.2.7.103 or later for 0765-150x/0100-0000 and 0765-450x/0100-0000; to version 1.2.1.102 or later for 0765-2101/0100-0000; and to version 1.2.5.101 or later for 0765-2102/0100-0000.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNetwork Segmentation\u003c/strong\u003e: Isolate WAGO System I/O Field series devices in critical network segments and apply strict firewall rules to restrict remote access, especially during device startup.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConsult Advisory\u003c/strong\u003e: Refer to the CERT VDE advisory \u003ccode\u003ehttps://www.certvde.com/en/advisories/VDE-2026-031/\u003c/code\u003e for further guidance and details regarding this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T08:27:17Z","date_published":"2026-07-13T08:27:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-4769-wago/","summary":"A critical vulnerability, CVE-2026-4769, in certain WAGO System I/O Field series devices allows an unauthenticated remote attacker to gain full system compromise by accessing an undocumented internal diagnostic capability during the initial startup sequence.","title":"CVE-2026-4769: Unauthenticated Remote Access in WAGO System I/O Field Series","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-4769-wago/"}],"language":"en","title":"CraftedSignal Threat Feed - WAGO","version":"https://jsonfeed.org/version/1.1"}