CVE-2026-3587 is a critical security vulnerability identified in the WAGO Lean Managed Switch 852-1812. The flaw stems from a hidden function within the device's command-line interface (CLI) prompt that can be exploited by an unauthenticated remote attacker. By leveraging this hidden functionality, the attacker can escape the restricted CLI environment, effectively bypassing any access controls designed to limit user capabilities. This escape leads to full compromise of the device, granting the attacker complete control over the switch’s configuration and operation. The vulnerability is classified under CWE-912 (Hidden Functionality), indicating that undocumented or unintended features are abused to gain unauthorized access. The CVSS 3.1 base score is 10.0, reflecting the highest severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and scope changed (S:C), resulting in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H). The affected product version is listed as 0.0.0, which likely indicates all current versions at the time of disclosure are vulnerable. No patches have been released yet, and no exploits are known in the wild. However, the nature of the vulnerability—remote, unauthenticated, and leading to full device compromise—makes it a critical risk for organizations relying on these switches for network infrastructure, especially in industrial or critical environments.

The impact of CVE-2026-3587 is severe and multifaceted. Successful exploitation results in complete compromise of the WAGO Lean Managed Switch 852-1812, allowing attackers to manipulate network traffic, disrupt communications, and potentially pivot to other network segments. This can lead to loss of confidentiality through data interception or exfiltration, integrity breaches by altering configurations or injecting malicious traffic, and availability disruptions by disabling or destabilizing network operations. Given that these switches are often deployed in industrial automation and critical infrastructure environments, the compromise could have cascading effects on operational technology (OT) systems, causing physical process disruptions or safety hazards. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation. Organizations worldwide that depend on these devices for secure and reliable network management face heightened risks of espionage, sabotage, and operational downtime.

To mitigate CVE-2026-3587, organizations should immediately implement network segmentation to isolate WAGO Lean Managed Switch 852-1812 devices from untrusted networks, especially the internet. Restrict management interface access strictly to trusted administrative networks using access control lists (ACLs) and firewall rules. Monitor network traffic for unusual CLI access attempts or unexpected command executions indicative of exploitation attempts. Employ network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics tailored to detect anomalous CLI behavior. Until an official patch is released by WAGO, consider disabling remote management features if operationally feasible or replacing vulnerable devices with alternatives not affected by this vulnerability. Maintain up-to-date asset inventories to identify all affected devices and prioritize remediation efforts. Once patches become available, apply them promptly following thorough testing. Additionally, implement strong logging and alerting on management interfaces to detect and respond to unauthorized access quickly.