CVE-2025-40949
Siemens · RUGGEDCOM ROX
The Scheduler functionality in the Siemens RUGGEDCOM ROX Web UI is vulnerable to command injection, allowing authenticated remote attackers to execute arbitrary commands with root privileges.
Executive summary
A critical command injection vulnerability in the Web UI of Siemens RUGGEDCOM ROX devices (versions < V2.17.1) allows authenticated attackers to gain full root-level control.
Vulnerability
The vulnerability exists in the Scheduler functionality of the Web UI, which fails to properly sanitize user-supplied input. This allows an authenticated remote attacker to inject and execute arbitrary OS commands at the root privilege level.
Business impact
A CVSS score of 9.1 highlights the severe risk posed by this vulnerability, as it grants complete control over the affected network infrastructure device. Compromise of such devices can facilitate lateral movement within the network, traffic interception, and total disruption of industrial communications.
Remediation
Immediate Action: Update all affected RUGGEDCOM ROX devices to firmware version V2.17.1 or later to sanitize the Scheduler input.
Proactive Monitoring: Review system logs for suspicious task creation or unexpected command executions within the device management interface.
Compensating Controls: Restrict administrative access to the Web UI to a dedicated, isolated management VLAN and employ multi-factor authentication (MFA) to minimize the risk of credential compromise.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Immediate firmware updates are required to eliminate this command injection flaw. Given the high privilege level attainable by an attacker, organizations must ensure that administrative credentials for these devices are secure and that the Web UI is not exposed to untrusted networks.