COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-4769

CVE-2026-4769

Severity
critical
Source
NVD · cve
Published
2026-07-13
CVSS
9.8
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-4769
⚡ RCE shame 85/100 rceunpatchedexploited-in-wildsupply-chainnegligence

WAGO I/O Field devices expose an unauthenticated RCE during early boot via undocumented diagnostic access.

This critical vulnerability allows remote attackers to execute arbitrary code on WAGO System I/O Field devices during the initial startup sequence without authentication, enabling full system compromise. DIB organizations must ensure these devices are patched and boot-time protections are enforced to prevent unauthorized access to industrial control systems.

Shame score — An unauthenticated RCE during boot on industrial devices is a severe, avoidable failure that directly compromises system integrity and violates CMMC/NIST 800-171 controls.

Description

Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an unauthenticated remote attacker can gain access to the internal system processes, resulting in full system compromise.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.