Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface and gain root access to the underlying Linux based OS, leading to full compromise of the device.
AnalysisAI
A hidden function in the CLI prompt of multiple WAGO industrial and lean managed switches allows unauthenticated remote attackers to escape the restricted interface and gain root access to the underlying Linux operating system. This results in complete device compromise with a maximum CVSS score of 10.0. The vulnerability affects over a dozen WAGO switch models used in industrial automation environments, and was disclosed by CERT@VDE.
Technical ContextAI
This vulnerability affects WAGO industrial and lean managed switch products running Linux-based firmware with a restricted CLI interface. The root cause is CWE-912 (Hidden Functionality), indicating the presence of undocumented or improperly restricted commands accessible through the command-line interface. Affected products include the Lean Managed Switch series (852-1812, 852-1813, 852-1816 and their variants) and Industrial Managed Switch series (852-303, 852-602, 852-603, 852-1305, 852-1505, 852-1605 and their variants). The CLI should enforce a restricted shell environment to prevent access to the underlying operating system, but a hidden function bypasses these restrictions entirely, allowing shell escape to gain root privileges on the Linux OS without any authentication requirement.
RemediationAI
Consult the CERT@VDE advisory at https://certvde.com/de/advisories/VDE-2026-020 for vendor-provided firmware updates that remove or properly restrict the hidden CLI function. Until firmware updates can be applied, implement network-level compensating controls including restricting management interface access to dedicated management VLANs accessible only from trusted administrator workstations, deploying firewall rules to block CLI/SSH access from untrusted networks, and implementing network segmentation to isolate affected switches from public networks. Disable remote management interfaces entirely if local console access is feasible for your operational requirements. Monitor network traffic for unexpected CLI access attempts and unauthorized connection patterns to these devices.
Same weakness CWE-912 – Hidden Functionality
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14385
GHSA-4r7q-86hg-h98x