CVE-2025-41713
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2025-09-15

Assigner: CERT VDE

Description
During a short time frame while the device is booting an unauthenticated remote attacker can send traffic to unauthorized networks due to the switch operating in an undefined state until a CPU-induced reset allows proper configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2025-09-15
Generated
2026-06-16
AI Q&A
2025-09-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-41713
EUVD
EUVD-2025-29160
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
wago cc100 *
wago touch_panel_600 *
wago edge_controller *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unstable system behavior and connectivity problems during device boot. More critically, it allows an unauthenticated remote attacker to send traffic to unauthorized networks within a short time frame during boot, potentially exposing network segments that should be protected. The impact includes limited confidentiality loss and availability degradation. [1, 2]

Executive Summary

CVE-2025-41713 is a hardware vulnerability in certain WAGO Ethernet switch circuits caused by a design flaw involving a PullUp resistor at the switch's reset input. This flaw causes the switch to activate prematurely during device boot, leading to an undefined operational state. During this brief boot window, an unauthenticated remote attacker can send traffic to unauthorized networks before the CPU resets and properly configures the switch. [1, 2]

Mitigation Strategies

To mitigate this vulnerability, you should upgrade affected devices to newer hardware revisions combined with WAGO Firmware version 04.08.05 (FW30) or later. Firmware updates alone on older hardware or new hardware without the updated firmware will not resolve the issue. The updated hardware and firmware properly manage the switch activation and configuration process, preventing the undefined switch operation during boot that allows unauthorized traffic. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41713. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart