Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network access yields full impact (PR:N, C/I/A:H), but the interface is only reachable during a fleeting boot window, a timing condition outside attacker control, so AC:H.
Primary rating from Vendor (CERTVDE).
CVSS VectorVendor: CERTVDE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an unauthenticated remote attacker can gain access to the internal system processes, resulting in full system compromise.
AnalysisAI
Full system compromise of WAGO System I/O-Field series controllers (0765-xxx families) is possible when an unauthenticated remote attacker reaches an undocumented internal diagnostic interface that is briefly exposed during the device's early boot phase. Because the diagnostic capability requires no authentication and grants access to internal system processes, a successful attacker obtains complete control over confidentiality, integrity, and availability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network access to the affected WAGO System I/O-Field 0765-series device AND that the device be in its initial startup/early boot sequence, during which the undocumented internal diagnostic capability is temporarily activated and reachable without authentication. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals mostly align on high severity but with one important nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to a WAGO 0765 controller waits for or induces a device reboot, then connects to the undocumented diagnostic interface during the brief early-boot window and interacts with internal system processes to seize full control of the controller. No credentials or user interaction are required. … |
| Remediation | No vendor-released patched firmware version is stated in the available data, so consult the CERT@VDE advisory VDE-2026-031 (https://www.certvde.com/en/advisories/VDE-2026-031/) for WAGO's official fixed-firmware guidance and apply it once published; do not act on invented version numbers. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all WAGO System I/O-Field series controller (0765-xxx) installations and assess their network exposure, documenting connection points and data criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-912 – Hidden Functionality
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43297
GHSA-2r6r-vgg5-p59v