CVE-2026-22905 is a path traversal vulnerability classified under CWE-22 found in the WAGO 0852-1322 device. The flaw arises from improper limitation of pathname inputs to restricted directories, allowing an unauthenticated remote attacker to bypass authentication mechanisms. Specifically, the device's web interface fails to properly validate Uniform Resource Identifiers (URIs), enabling attackers to craft malicious requests containing path traversal sequences such as '/js/../cgi-bin/post.cgi'. This manipulation tricks the system into accessing protected Common Gateway Interface (CGI) endpoints and configuration files that should be restricted. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation (network attack vector, no privileges required, no user interaction) and the high confidentiality impact due to unauthorized access to sensitive configuration data. Although no public exploits have been reported yet, the vulnerability poses a significant threat to the confidentiality of device configurations and potentially the broader network if leveraged for further attacks. The affected product version is listed as 0.0.0, indicating all current versions are vulnerable until patched. The vulnerability was published on February 9, 2026, and assigned by CERTVDE. No official patches or mitigations have been linked yet, underscoring the need for immediate defensive measures.

For European organizations, especially those in industrial automation, manufacturing, and critical infrastructure sectors that deploy WAGO 0852-1322 devices, this vulnerability presents a serious risk. Unauthorized access to protected CGI endpoints and configuration files can lead to exposure of sensitive operational parameters, network configurations, and potentially credentials. This breach of confidentiality could enable attackers to map the network, plan further intrusions, or disrupt operations indirectly. Given the device's role in automation and control, attackers might leverage the information gained to interfere with industrial processes, causing operational disruptions or safety hazards. The lack of required authentication and ease of remote exploitation increase the likelihood of attacks, particularly in environments with exposed or poorly segmented networks. The vulnerability could also undermine compliance with European data protection and cybersecurity regulations, such as NIS2 and GDPR, if sensitive data is compromised. The absence of known exploits currently provides a window for proactive mitigation, but the high severity score indicates urgent attention is necessary to prevent potential exploitation.

1. Immediate network-level controls: Isolate WAGO 0852-1322 devices within segmented network zones with strict access controls to limit exposure to untrusted networks. 2. Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in HTTP requests targeting the device's web interface. 3. Monitor network traffic for unusual requests containing path traversal sequences or attempts to access CGI endpoints. 4. Coordinate with WAGO for official patches or firmware updates addressing CVE-2026-22905; apply updates promptly once available. 5. If patches are unavailable, consider disabling or restricting access to vulnerable web interfaces or CGI endpoints where feasible. 6. Employ strong authentication and VPN access for remote management to reduce attack surface. 7. Conduct regular security assessments and penetration tests focusing on industrial control systems to detect similar vulnerabilities. 8. Maintain an inventory of all WAGO devices and ensure they are included in vulnerability management programs. 9. Educate operational technology (OT) and IT staff about this vulnerability and signs of exploitation attempts. 10. Implement logging and alerting mechanisms to capture unauthorized access attempts to the device.