CVE-2025-41672
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-07-08
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because WAGO Device Sphere software versions prior to 1.0.1 install two identical default JWT signing certificates across all installations instead of generating unique certificates. Since these certificates are used to sign JWT tokens, a remote unauthenticated attacker who obtains the shared signing key can forge valid JWT tokens. This allows the attacker to gain full access to the WAGO Device Sphere tool and all connected devices, compromising confidentiality, integrity, and availability. [1, 2]
How can this vulnerability impact me? :
The vulnerability allows a remote unauthenticated attacker to impersonate legitimate users by forging JWT tokens, resulting in full access to the WAGO Device Sphere tool and all connected devices. This leads to complete compromise of confidentiality, integrity, and availability of the system and connected devices, potentially causing unauthorized control, data breaches, and disruption of services. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WAGO Device Sphere software to version 1.0.1, which addresses the issue by replacing the default identical JWT signing certificates with unique ones. Additionally, note that version 1.0 will no longer be supported after June 30, 2025, so upgrading is critical to maintain security. [1, 2]