EXECUTIVE SUMMARY:
A critical security weakness has been found in WAGO Device Sphere linked to how the system handles JWT certificates. Scored a maximum of 10.0 on the severity scale, this flaw allows attackers to create their own tokens that the system accepts as genuine. Without needing to log in, an attacker can fully control the device through its web interface. This risk includes changing settings, reading sensitive data, and possibly installing harmful code. The issue makes the device highly exposed if reachable on the network.
CVE-2025-41672: This security hole lies in how WAGO Device Sphere checks JWT tokens. Instead of only trusting certificates it knows, the system accepts tokens signed by an attacker’s key. That means someone could craft a fake token that grants them full access. The attacker could then control the device without logging in. This opens the door to changing device operations, stealing data, or uploading malicious files. Because the device often sits in network environments critical for operations, the impact could be significant if exploited.
This vulnerability is severe because it lets an attacker take over the device remotely without any login. Systems that expose Device Sphere to network access are especially at risk.
RECOMMENDATION:
We recommend you update the WAGO Device Sphere version 1.0.1 or later.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/php-flaws-cve-2025-1735-sqli-crash-cve-2025-6491-soap-dos-threaten-php-apps/