CVE-2026-22904: CWE-121 Stack-based Buffer Overflow in WAGO 0852-1322
CVE-2026-22904 is a critical stack-based buffer overflow vulnerability in the WAGO 0852-1322 device caused by improper length handling when parsing multiple cookie fields, including TRACKID. An unauthenticated remote attacker can exploit this by sending oversized cookie values, leading to denial-of-service or potential remote code execution. The vulnerability has a CVSS score of 9. 8, indicating high severity with no authentication or user interaction required. No known exploits are currently reported in the wild. European organizations using WAGO 0852-1322 controllers, especially in industrial automation sectors, are at significant risk. Mitigation requires immediate vendor patching once available and network-level protections to restrict access to affected devices. Countries with strong industrial automation presence such as Germany, France, and Italy are most likely to be impacted.
AI Analysis
Technical Summary
CVE-2026-22904 is a stack-based buffer overflow vulnerability identified in the WAGO 0852-1322 industrial controller. The root cause is improper length validation when parsing multiple HTTP cookie fields, including the TRACKID cookie. An attacker can craft oversized cookie values and send them to the device's web interface without requiring authentication or user interaction. This triggers a stack buffer overflow, which can crash the device (denial-of-service) or potentially allow remote code execution, enabling full compromise of the device. The vulnerability is classified under CWE-121 (stack-based buffer overflow) and has a CVSS v3.1 score of 9.8, reflecting its critical impact and ease of exploitation over the network. The device is commonly used in industrial automation environments for controlling and monitoring processes. No patches or exploits are currently publicly available, but the vulnerability was reserved and published in early 2026. The lack of authentication requirement and the network attack vector make this vulnerability especially dangerous in operational technology (OT) environments where these controllers are deployed. Attackers exploiting this flaw could disrupt critical infrastructure or gain persistent control over industrial processes.
Potential Impact
For European organizations, particularly those in manufacturing, energy, and critical infrastructure sectors relying on WAGO 0852-1322 controllers, this vulnerability poses a severe risk. Exploitation can lead to denial-of-service conditions, halting industrial operations and causing significant financial and safety impacts. More critically, remote code execution could allow attackers to manipulate industrial processes, potentially causing physical damage or safety hazards. The unauthenticated, network-based nature of the vulnerability increases the likelihood of exploitation, especially if devices are exposed to less secure networks or the internet. Disruption or compromise of these controllers could affect supply chains and critical services, amplifying the impact across multiple sectors. The absence of known exploits currently provides a window for proactive mitigation, but the critical severity demands urgent attention.
Mitigation Recommendations
1. Immediately implement network segmentation to isolate WAGO 0852-1322 devices from general IT networks and restrict access to trusted management systems only. 2. Deploy firewall rules and intrusion prevention systems (IPS) to block or monitor suspicious HTTP requests containing oversized cookie headers targeting these devices. 3. Monitor network traffic for anomalous cookie field sizes or repeated malformed requests to detect potential exploitation attempts. 4. Engage with WAGO for official patches or firmware updates addressing CVE-2026-22904 and apply them promptly once available. 5. If patches are delayed, consider temporary mitigations such as disabling or restricting web interface access on the devices. 6. Conduct thorough asset inventories to identify all affected devices and ensure they are included in vulnerability management programs. 7. Train operational technology security teams on this vulnerability to enhance detection and response capabilities. 8. Implement strict access controls and multi-factor authentication on management interfaces to reduce exposure.
Affected Countries
Germany, France, Italy, Netherlands, Belgium, Poland, Czech Republic
CVE-2026-22904: CWE-121 Stack-based Buffer Overflow in WAGO 0852-1322
Description
CVE-2026-22904 is a critical stack-based buffer overflow vulnerability in the WAGO 0852-1322 device caused by improper length handling when parsing multiple cookie fields, including TRACKID. An unauthenticated remote attacker can exploit this by sending oversized cookie values, leading to denial-of-service or potential remote code execution. The vulnerability has a CVSS score of 9. 8, indicating high severity with no authentication or user interaction required. No known exploits are currently reported in the wild. European organizations using WAGO 0852-1322 controllers, especially in industrial automation sectors, are at significant risk. Mitigation requires immediate vendor patching once available and network-level protections to restrict access to affected devices. Countries with strong industrial automation presence such as Germany, France, and Italy are most likely to be impacted.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-22904 is a stack-based buffer overflow vulnerability identified in the WAGO 0852-1322 industrial controller. The root cause is improper length validation when parsing multiple HTTP cookie fields, including the TRACKID cookie. An attacker can craft oversized cookie values and send them to the device's web interface without requiring authentication or user interaction. This triggers a stack buffer overflow, which can crash the device (denial-of-service) or potentially allow remote code execution, enabling full compromise of the device. The vulnerability is classified under CWE-121 (stack-based buffer overflow) and has a CVSS v3.1 score of 9.8, reflecting its critical impact and ease of exploitation over the network. The device is commonly used in industrial automation environments for controlling and monitoring processes. No patches or exploits are currently publicly available, but the vulnerability was reserved and published in early 2026. The lack of authentication requirement and the network attack vector make this vulnerability especially dangerous in operational technology (OT) environments where these controllers are deployed. Attackers exploiting this flaw could disrupt critical infrastructure or gain persistent control over industrial processes.
Potential Impact
For European organizations, particularly those in manufacturing, energy, and critical infrastructure sectors relying on WAGO 0852-1322 controllers, this vulnerability poses a severe risk. Exploitation can lead to denial-of-service conditions, halting industrial operations and causing significant financial and safety impacts. More critically, remote code execution could allow attackers to manipulate industrial processes, potentially causing physical damage or safety hazards. The unauthenticated, network-based nature of the vulnerability increases the likelihood of exploitation, especially if devices are exposed to less secure networks or the internet. Disruption or compromise of these controllers could affect supply chains and critical services, amplifying the impact across multiple sectors. The absence of known exploits currently provides a window for proactive mitigation, but the critical severity demands urgent attention.
Mitigation Recommendations
1. Immediately implement network segmentation to isolate WAGO 0852-1322 devices from general IT networks and restrict access to trusted management systems only. 2. Deploy firewall rules and intrusion prevention systems (IPS) to block or monitor suspicious HTTP requests containing oversized cookie headers targeting these devices. 3. Monitor network traffic for anomalous cookie field sizes or repeated malformed requests to detect potential exploitation attempts. 4. Engage with WAGO for official patches or firmware updates addressing CVE-2026-22904 and apply them promptly once available. 5. If patches are delayed, consider temporary mitigations such as disabling or restricting web interface access on the devices. 6. Conduct thorough asset inventories to identify all affected devices and ensure they are included in vulnerability management programs. 7. Train operational technology security teams on this vulnerability to enhance detection and response capabilities. 8. Implement strict access controls and multi-factor authentication on management interfaces to reduce exposure.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERTVDE
- Date Reserved
- 2026-01-13T08:33:25.683Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6989944b4b57a58fa134d4d0
Added to database: 2/9/2026, 8:01:15 AM
Last enriched: 2/16/2026, 1:29:44 PM
Last updated: 3/26/2026, 3:12:20 AM
Views: 127
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.