A cluster of critical vulnerabilities has been identified in WAGO’s 852 series Industrial Managed Switches, exposing OT networks to remote takeover, according to CERT@VDE. The flaws affect the 8052-1322 and 0852-1328 models (Firmware 2.64 and prior) and reside in the device’s web-based management interface, which uses a customised lighttpd server and CGI binaries.
The advisory highlights CVE-2026-22906, where credentials are stored with AES-ECB and a hardcoded decryption key, enabling an unauthenticated remote attacker to decrypt configuration backups and recover plaintext usernames and passwords. Two other critical issues involve cookie handling: CVE-2026-22904 allows a stack buffer overflow via an oversized TRACKID cookie, and CVE-2026-22903 enables remote code execution through a crafted SESSIONID cookie.
Additionally, CVE-2026-22905 (CVSS 7.5) permits authentication bypass through path traversal, granting access to sensitive endpoints and the possibility of obtaining configuration files needed to exploit the hardcoded key. Successful exploitation could crash the web service, allow arbitrary code execution, and compromise administrator credentials.