CVE-2026-4769 -- CVSS 9.8 Vulnerability Briefing
CVE-2026-4769 | CVSS 9.8 (Critical) | Exploit: PoC available
What Is It
CVE-2026-4769 is an unauthenticated remote access vulnerability affecting WAGO System I/O Field series devices, caused by an undocumented diagnostic interface that becomes exposed during the device boot sequence.
Technical Detail
During the initial startup sequence, affected WAGO System I/O Field devices activate an internal diagnostic capability that is not part of any documented feature set. This interface is accessible over the network without authentication for a finite window during early boot, before normal access controls are enforced. An unauthenticated remote attacker who connects during this window can interact with internal system processes, resulting in full system compromise, which may include arbitrary code execution, configuration manipulation, and persistent access to the device.
Exploitation Status
A proof-of-concept exploit is publicly available. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog as of July 13, 2026, and active in-the-wild exploitation has not been confirmed. However, the availability of a PoC lowers the barrier for exploitation and increases the likelihood of attempted attacks against exposed devices in the near term.
Who Is Targeting This
No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability.
What To Do
Apply any vendor-issued firmware patches from WAGO immediately, prioritizing internet-facing or network-accessible devices in the System I/O Field series. Given the CVSS score of 9.8 and the availability of a public PoC, this should be treated as a high-priority remediation item. As an interim workaround, restrict network access to affected devices during boot cycles using firewall rules or network segmentation, preventing external hosts from reaching the diagnostic interface during the vulnerable startup window. Where possible, place these devices behind industrial demilitarized zones and enforce strict ingress filtering. Monitor for unexpected inbound connection attempts to WAGO devices during reboot events as a detection signal. Confirm with WAGO whether specific firmware versions are affected and whether a patched release is available, as the affected product list has not been formally enumerated in current advisories.