โ† CIO Briefings ยท High Impact

wolfSSL Certificate Forgery Flaw Exposes Billions of Connected Devices to Network Interception

A critical flaw in a widely embedded networking security library allows attackers to present forged digital identity certificates that connected devices accept as genuine, enabling interception and manipulation of supposedly secure communications. The library is present in an estimated 5 billion devices including routers, industrial controllers, and automotive systems. Organisations must audit which of their devices and vendor-supplied equipment are affected.

4 min read
#NIS2

What Happened

A critical security flaw (CVE-2026-5194) has been discovered in wolfSSL, a compact security library used by device manufacturers to encrypt network communications in connected products. The flaw allows an attacker to present a fake digital certificate โ€” the mechanism that devices use to confirm they are communicating with a trusted server โ€” and the vulnerable device accepts the forgery as genuine. This breaks the fundamental trust mechanism protecting communications between devices and the systems they connect to. wolfSSL is embedded in an estimated 5 billion devices globally, including home and enterprise routers, factory and utility control systems, vehicle components, and medical monitoring equipment. A patched version of the library (5.9.1) was released on 8 April 2026, but because the library is embedded by device manufacturers, updates depend on each manufacturer releasing new firmware.

Business Impact

An attacker who exploits this vulnerability can position themselves between an affected device and the server it communicates with, intercepting and modifying all traffic that should be protected by encryption. In practice, this means stolen login credentials and session tokens from network appliances, manipulation of commands sent to industrial control equipment, interception of financial or patient data transmitted by connected infrastructure, and silent compromise of OT networks whose security model relies on TLS as the primary control-plane protection. For organisations operating in manufacturing, energy, or healthcare, the risk extends beyond data theft to operational integrity: a compromised industrial sensor or controller receiving forged commands could cause physical process failures. The scope of affected products is difficult to fully assess because wolfSSL is embedded by hundreds of manufacturers across many product categories.

Regulatory Implications

Under NIS2, operators of essential infrastructure โ€” energy, transport, water, health, digital infrastructure โ€” are required to manage supply chain security risks, including vulnerabilities in software components embedded in operational technology. The discovery of CVE-2026-5194 triggers a supply chain security review obligation for any NIS2-regulated entity using wolfSSL-dependent devices. Where affected devices are used in a capacity that constitutes an essential service, the failure to identify and remediate affected equipment within a reasonable timescale may be considered a failure of risk management obligations under NIS2 Article 21.

Board-Ready Summary

  • A flaw in security software embedded by device manufacturers in billions of connected products allows attackers to impersonate trusted servers and intercept encrypted communications.
  • Organisations using connected devices โ€” particularly in manufacturing, building management, healthcare, or operational technology โ€” may be exposed without knowing which of their equipment is affected, since the flaw is inside components supplied by vendors.
  • The security team should be directed to inventory all connected devices and request confirmation from vendors of patch status; devices in critical operational roles that cannot be patched should be subject to additional network isolation.

  1. This week: Direct the security team to compile an inventory of all connected and IoT devices across the estate โ€” routers, network appliances, SCADA/OT components, building management systems, medical devices โ€” and identify those supplied by manufacturers known to use wolfSSL.

  2. This week: Contact critical device vendors and request written confirmation of whether their products use wolfSSL and whether firmware updates incorporating wolfSSL 5.9.1 are planned and on what timeline.

  3. Short-term (2โ€“4 weeks): For devices confirmed to use a vulnerable wolfSSL version that cannot be immediately updated, apply network segmentation: isolate the device from untrusted network segments and route its communications through network controls that can detect anomalous certificate behaviour.

  4. Ongoing: Integrate wolfSSL version tracking into vendor security questionnaire processes. Any vendor supplying connected devices or appliances should be required to disclose third-party library versions as part of procurement and annual review cycles.

  5. If your organisation develops products: Update build dependencies to wolfSSL 5.9.1 immediately and schedule firmware releases that incorporate the fix. Notify customers of affected product versions and the availability of updates.