Protect.Computer
NEWS

WAGO industrial managed switches exposed to critical hidden-CLI flaw (CVE-2026-3587)

· 1 min read · Remote code execution Network intrusion
WAGO industrial managed switches exposed to critical hidden-CLI flaw (CVE-2026-3587)

Photo by protect.computer (custom explainer graphic) on protect.computer

What happened

CISA published ICS advisory ICSA-26-085-01 for CVE-2026-3587 affecting multiple WAGO industrial managed switch models and firmware versions.

The advisory states that an unauthenticated remote attacker can abuse a hidden function in the CLI prompt to escape the restricted interface, which can lead to full device compromise.

NVD tracks the same issue and maps weakness CWE-912 (Hidden Functionality).

Why this matters

These are industrial networking devices. If a threat actor compromises edge switching in OT/ICS environments, the blast radius can include:

  • traffic interception/manipulation,
  • segmentation bypass,
  • lateral movement into control environments,
  • operational disruption.

This is especially urgent for internet-reachable or weakly segmented management interfaces.

How to check if you’re affected

Potentially affected systems/services

  • WAGO industrial managed switches listed in CISA ICSA-26-085-01.
  • Devices running firmware versions below the fixed baselines documented by vendor/CISA.
  • Deployments exposing device management/CLI surfaces to untrusted networks.

Concrete verification steps (10–20 minute triage)

  1. Inventory exact hardware + firmware versions

    • Export your switch asset list and firmware versions.
    • Match against affected/fixed versions in CISA and CERT@VDE advisories.

  2. Check management-plane exposure

    • Confirm which management interfaces are reachable from IT networks, vendor remote-access paths, or internet edges.
    • Block any unnecessary external access immediately.

  3. Apply vendor-recommended firmware updates

    • Upgrade affected devices to fixed firmware versions per model.
    • Validate successful update and post-upgrade config integrity.

  4. Hunt for suspicious admin/CLI activity

    • Review switch/system logs for unknown sessions, unusual command sequences, and unexplained config changes.
    • Investigate abnormal routing/VLAN/ACL changes.

  5. Strengthen compensating controls

    • Enforce strict ACLs for management access.
    • Isolate OT management networks and require strong authentication paths (jump host/VPN/MFA where possible).

Immediate defensive actions

  • Patch affected WAGO devices on an expedited timeline.
  • Restrict management access to trusted admin segments only.
  • Audit switch configurations for unauthorized changes after remediation.

Sources

Bottom line

Treat CVE-2026-3587 as an urgent OT network-hardening item: identify affected WAGO switches, patch quickly, and lock down management-plane reachability before it becomes an initial access path.

Related reading

News
CISA adds F5 BIG-IP CVE-2025-53521 to KEV after active exploitation

CISA added CVE-2025-53521 in F5 BIG-IP to the KEV catalog on March 27, 2026; exposed APM deployments should be triaged and patched immediately.

News
Second FortiClient EMS zero-day in a week actively exploited — emergency hotfix released (CVE-2026-35616)

Fortinet pushed an emergency weekend hotfix for CVE-2026-35616 (CVSS 9.1), a pre-auth API bypass in FortiClient EMS 7.4.5–7.4.6 that allows unauthenticated remote code execution. Active exploitation confirmed since March 31. CISA added it to KEV with an April 9 deadline.

News
OpenTelemetry Java Agent 2.26.1 fixes RMI deserialization RCE risk (CVE-2026-33701)

OpenTelemetry Java Instrumentation patched a critical unsafe deserialization flaw in RMI instrumentation; exposed JMX/RMI ports on Java 16 and older can become remote code execution paths.

News
CISA adds Langflow CVE-2026-33017 to KEV after active RCE exploitation

CISA added Langflow CVE-2026-33017 to the KEV catalog after evidence of active exploitation; vulnerable public-flow endpoints can allow unauthenticated remote code execution.