CVE Alert: CVE-2025-41664 – WAGO – Coupler 0750-0362
CVE-2025-41664
A low-privileged remote attacker could gain unauthorized access to critical resources, such as firmware and certificates, due to improper permission handling during the runtime of services (e.g., FTP/SFTP). This access could allow the attacker to escalate privileges and modify firmware.
AI Summary Analysis
Risk verdict
High risk: remote attacker with network access and low privileges could access firmware and certificates and alter firmware, enabling widespread impact.
Why this matters
Compromise of firmware integrity and certificates undermines device trust and supply-chain security, risking firmware rollback, device takeovers, and potential propagation across connected automation networks. The attacker could achieve persistent control with minimal user interaction.
Most likely attack path
Attack requires no user interaction but uses network access to exposed services (FTP/SFTP). With LOW privileges, the attacker can reach sensitive resources such as firmware and certificates, enabling privilege escalation and firmware modification under an UNCHANGED scope. Realistic attacker goals include altering firmware to maintain foothold or exfiltrating certificates for further access.
Who is most exposed
Industrial and building automation deployments using WAGO Couplers (various models) in OT/ICS networks, often exposed to remote maintenance or on-site networks with insufficient segmentation.
Detection ideas
- Unusual or unauthorised access attempts to firmware/cert directories via FTP/SFTP.
- Modifications to firmware images or certificate files outside approved change processes.
- Privilege-escalation attempts from low-priv user accounts.
- Atypical outbound connections or bulk firmware download activity.
- Log gaps or anomalies around remote maintenance sessions.
Mitigation and prioritisation
- Apply latest firmware updates from the affected family (FW13+) or vendor-recommended releases.
- Disable or restrict FTP/SFTP where feasible; enforce strong access controls and MFA for maintenance.
- Implement network segmentation and strict access controls around OT devices; enforce least privilege.
- Strengthen firmware signing and verification; monitor for unauthorized firmware and certificate changes.
- Change-management: require signed approvals for firmware updates; maintain verifiable audit trails.
- If KEV is reported or EPSS ≥ 0.5, treat as priority 1; otherwise prioritise within the standard patch cycle.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
