CVE-2025-41672 is a critical vulnerability identified in WAGO's Device Sphere product, version 1.0.0. The vulnerability is classified under CWE-1188, which pertains to improper use of cryptographic primitives. Specifically, this flaw allows a remote, unauthenticated attacker to exploit default certificates embedded within the system to generate valid JSON Web Tokens (JWTs). JWTs are commonly used for authentication and authorization in web applications and services. By leveraging these default certificates, an attacker can forge JWTs that grant full administrative access to the Wago Device Sphere tool and all devices connected to it. This means the attacker can bypass authentication controls entirely without needing any prior credentials or user interaction. The CVSS v3.1 base score for this vulnerability is 10.0, indicating a critical severity level. The vector metrics highlight that the attack can be performed remotely (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality, integrity, and availability with a scope change (S:C). The vulnerability's root cause is the use of default cryptographic certificates that are either publicly known or easily extractable, enabling token forgery. Since Wago Device Sphere is used for managing industrial automation devices, this vulnerability poses a significant risk to operational technology environments. No patches or mitigations have been published yet, and there are no known exploits in the wild at the time of disclosure, but the ease of exploitation and critical impact make it a high-priority issue for affected organizations.

For European organizations, especially those in industrial automation, manufacturing, energy, and critical infrastructure sectors, this vulnerability presents a severe threat. The ability for an unauthenticated attacker to gain full control over the Device Sphere platform and connected devices could lead to unauthorized manipulation of industrial processes, data theft, disruption of operations, and potential physical damage to equipment. Given the interconnected nature of industrial control systems (ICS) and the increasing adoption of IoT and cloud-based device management platforms like Wago Device Sphere, exploitation could cascade across multiple systems and facilities. This could result in significant operational downtime, safety hazards, and regulatory non-compliance, particularly under EU regulations such as NIS2 and GDPR if sensitive data is compromised. The criticality of the vulnerability also raises concerns about potential sabotage or espionage by threat actors targeting European industrial assets. The lack of authentication and user interaction requirements means attacks can be automated and launched at scale, increasing the risk of widespread impact.

Immediate mitigation steps should include: 1) Isolating the Wago Device Sphere instances from public networks until a patch is available, restricting access to trusted internal networks only. 2) Conducting an inventory of all connected devices and monitoring for unusual authentication tokens or access patterns indicative of JWT forgery. 3) Implementing network-level controls such as firewalls and intrusion detection/prevention systems (IDS/IPS) to detect and block unauthorized access attempts. 4) Engaging with WAGO support to obtain any available workarounds or interim fixes, such as replacing default certificates with unique, securely generated ones. 5) Applying strict access control policies and multi-factor authentication on management consoles where possible to reduce risk. 6) Preparing incident response plans specifically for ICS compromise scenarios, including backup and recovery procedures. 7) Monitoring threat intelligence feeds for emerging exploits targeting this vulnerability. Organizations should prioritize patching as soon as WAGO releases an official update and validate the integrity of their device management environments regularly.