Full Report
Ruggedcom Rox contains an input validation vulnerability in the Scheduler functionality that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Remote Code Execution in Ruggedcom Rox Scheduler
## CVE Details
- **CVE ID:** CVE-2025-40949
- **CVSS Score:** 9.1 (Critical) - CVSS v3.1 | 8.9 (High) - CVSS v4.0
- **CWE:** CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
## Affected Systems
- **Products:**
- RUGGEDCOM ROX II family (including MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, RX5000)
- **Versions:** All versions prior to V2.17.1
- **Configurations:** Devices utilizing the Web UI Scheduler functionality.
## Vulnerability Description
The vulnerability stems from improper neutralization of user-supplied input within the Scheduler functionality of the Ruggedcom Rox Web UI. Because the application fails to properly sanitize input, an attacker can inject malicious OS commands into the task scheduling backend. These commands are subsequently executed by the underlying operating system with root-level privileges.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; no public PoC listed in technical advisory.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Authentication:** Required (Authenticated attacker with high privileges, though the impact results in a Scope change).
## Impact
- **Confidentiality:** High (Full access to system data and files)
- **Integrity:** High (Ability to modify system configuration and firmware)
- **Availability:** High (Ability to disable the device or interrupt network services)
## Remediation
### Patches
- **Ruggedcom Rox II Family:** Update to version **V2.17.1** or later.
- Downloads are available via the Siemens Industry Online Support portal: hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/110002017/
### Workarounds
- **Network Segmentation:** Protect network access to devices with appropriate firewalls and VPNs.
- **Operational Guidelines:** Follow Siemens' operational guidelines for Industrial Security to ensure devices operate in a protected IT environment.
- **Restrict Access:** Limit Web UI access to trusted administrative networks only.
## Detection
- **Indicators of Compromise:** Monitor for unusual scheduled tasks or scripts within the Scheduler interface. Review system logs for unauthorized root-level command executions.
- **Detection methods and tools:** Audit logs for the Web UI may show suspicious input strings (command metacharacters like `;`, `&`, `|`, or `$()`) being submitted to the scheduler endpoint.
## References
- **Siemens Security Advisory SSA-081142:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-081142[.]html
- **Siemens Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **General Advisories:** hxxps://www[.]siemens[.]com/cert/advisories