SYS::ONLINE
Wasteland.
Briefs1156
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-4769 2026-07-13

CVE-2026-4769: Unauthenticated Boot-Time Backdoor in WAGO System I/O Field Devices

"A critical, undocumented diagnostic feature in WAGO System I/O Field devices exposes an unauthenticated remote access window during early boot, allowing full system compromise."

A critical, undocumented diagnostic feature in WAGO System I/O Field devices exposes an unauthenticated remote access window during early boot, allowing full system compromise.

What Is It

Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an unauthenticated remote attacker can gain access to the internal system processes, resulting in full system compromise. The flaw is classified as CWE-912 (Hidden Functionality).

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.8 (Critical), with a network attack vector, low attack complexity, and no privileges or user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS 4.0 score of 9.3 (Critical) is also assigned. Because exploitation requires no authentication and yields full compromise of confidentiality, integrity, and availability, an attacker with network reach to an affected device during boot can take complete control.

What's Vulnerable

Multiple WAGO System I/O Field product lines are affected, each fixed at a different firmware version (all starting from 1.0.0.0):

Patch Status

Fixed firmware versions are indicated per product above; upgrading to at or above the listed version remediates the affected device. Refer to the CERT@VDE advisory (VDE-2026-031) for vendor guidance. The CVE was published on 2026-07-13 with status "Received." No CISA KEV entry was supplied, so active exploitation is not confirmed in the provided source material.

Sources