CVE-2025-41672
📋 TL;DR
This critical vulnerability allows remote unauthenticated attackers to generate valid JWT tokens using default certificates, granting them full administrative access to affected systems and all connected devices. Any organization using vulnerable versions of the affected products with default configurations is at risk.
💻 Affected Systems
- WAGO PFC200
- WAGO PFC100
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to control all connected devices, steal sensitive data, deploy ransomware, or disrupt critical operations.
Likely Case
Unauthorized administrative access leading to data exfiltration, lateral movement to connected devices, and potential persistence in the network.
If Mitigated
Limited impact if proper network segmentation, certificate rotation, and access controls are implemented before exploitation.
🎯 Exploit Status
CVSS 10.0 indicates trivial exploitation with maximum impact. No public PoC confirmed but weaponization is likely given the severity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware 03.10.00(24) or later
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2025-057
Restart Required: Yes
Instructions:
1. Download firmware 03.10.00(24) or later from WAGO support portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface or WAGO Service Tool. 4. Restart device. 5. Verify firmware version and regenerate certificates.
🔧 Temporary Workarounds
Network Isolation
allIsolate affected devices from untrusted networks and internet access
Configure firewall rules to restrict access to trusted IPs only
Certificate Replacement
allReplace default certificates with organization-specific certificates
Use WAGO Service Tool to generate and deploy custom certificates
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to trusted management networks only
- Deploy network monitoring and IDS/IPS to detect and block JWT token manipulation attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > Information) or using WAGO Service Tool. Versions before 03.10.00(24) are vulnerable.Check Version:
curl -k https://<device-ip>/api/system/info | grep versionVerify Fix Applied:
Confirm firmware version is 03.10.00(24) or later and verify certificates have been regenerated post-update.📡 Detection & Monitoring
Log Indicators:
- Unusual JWT token generation events
- Authentication attempts from unexpected IPs
- Administrative actions from unverified sources
Network Indicators:
- JWT token requests to default certificate endpoints
- Unauthorized API calls to device management interfaces
SIEM Query:
source="wago-device" AND (event_type="jwt_generation" OR auth_method="certificate") AND result="success"