CVE-2026-3587 identifies a critical security vulnerability in the WAGO Lean Managed Switch 852-1812, a network device used for industrial and enterprise network management. The vulnerability is classified under CWE-912, which involves hidden functionality that bypasses intended access controls. Specifically, an unauthenticated remote attacker can access a concealed function within the device's command-line interface (CLI) prompt. This hidden function allows the attacker to escape the restricted CLI environment, which is normally designed to limit user capabilities, and gain root-level access to the underlying Linux-based operating system. Root access grants full control over the device, enabling the attacker to manipulate configurations, intercept or redirect network traffic, install persistent malware, or disrupt network operations. The vulnerability requires no authentication or user interaction, making it trivially exploitable over the network. The CVSS v3.1 base score of 10.0 reflects the highest severity, with attack vector being network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and complete impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The affected product version is listed as 0.0.0, which may indicate all current versions or a placeholder, but the vendor has not yet released patches. The vulnerability was reserved on March 5, 2026, and published on March 23, 2026. No known exploits have been reported in the wild, but the critical nature and ease of exploitation make this a significant threat to any organization deploying this switch model in their network infrastructure.

The impact of CVE-2026-3587 is severe and far-reaching. Successful exploitation results in complete compromise of the WAGO Lean Managed Switch 852-1812, allowing attackers to gain root privileges on the device. This enables attackers to alter device configurations, intercept or manipulate network traffic, create persistent backdoors, and potentially pivot to other internal systems. Given that these switches are often deployed in industrial control systems, manufacturing environments, and enterprise networks, the compromise could lead to operational disruptions, data breaches, intellectual property theft, and sabotage of critical infrastructure. The lack of authentication and user interaction requirements significantly increases the risk of automated mass exploitation. Organizations relying on these switches for network segmentation and security enforcement may find their entire network perimeter undermined. Additionally, attackers could use compromised devices as footholds for lateral movement, increasing the scope and scale of potential damage.

Since no patches are currently available, organizations should implement immediate compensating controls. First, isolate the affected WAGO Lean Managed Switch 852-1812 devices from untrusted networks and restrict management access to trusted administrative networks only. Employ network segmentation and access control lists (ACLs) to limit exposure of the device's management interfaces. Monitor network traffic for unusual CLI access attempts or suspicious activity indicative of exploitation attempts. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics targeting anomalous CLI behavior. Regularly audit device configurations and logs for unauthorized changes. Engage with WAGO support channels to obtain updates on patch availability and apply them promptly once released. Consider replacing vulnerable devices with alternative models if immediate patching is not feasible. Additionally, implement strict network monitoring and incident response plans tailored to industrial control system environments to quickly detect and respond to potential compromises.