Full Report
RUGGEDCOM ROX II devices do not properly limit access through their Built-In-Self-Test (BIST) mode. This could allow a local attacker to bypass authentication and access a root shell on the device. Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Authentication Bypass in RUGGEDCOM ROX II BIST Mode
## CVE Details
- **CVE ID:** CVE-2025-40761
- **CVSS Score:** 7.6 (High) / 8.6 (High) per CVSS v4.0
- **CWE:** CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
## Affected Systems
- **Products:** Siemens RUGGEDCOM ROX II family devices, including:
- RUGGEDCOM ROX MX5000 / MX5000RE
- RUGGEDCOM ROX RX1400
- RUGGEDCOM ROX RX1500 / RX1501 / RX1510 / RX1511 / RX1512 / RX1524
- **Versions:** All versions currently available.
- **Configurations:** Devices utilizing factory default boot settings without a secure boot password.
## Vulnerability Description
The vulnerability exists due to improper access controls within the Built-In-Self-Test (BIST) mode of RUGGEDCOM ROX II devices. An attacker can use this alternate execution path to circumvent standard authentication mechanisms. By interacting with the device during the boot sequence via the serial interface, an attacker can gain unauthorized access to a root-level shell.
## Exploitation
- **Status:** PoC available (coordinated disclosure); no reports of exploitation in the wild at this time.
- **Complexity:** Low
- **Attack Vector:** Physical (requires access to the device's serial interface).
## Impact
- **Confidentiality:** High (Full access to device data and configuration)
- **Integrity:** High (Ability to modify system files and firmware)
- **Availability:** High (Potential to brick or disable the device)
## Remediation
### Patches
- **No patches are currently available.** Siemens is currently preparing fix versions for the affected products.
### Workarounds
- **Set Secure Boot Password:** Users should immediately configure a secure boot password as documented in Section 5.9.3 of the respective product configuration manuals. This prevents unauthorized entry into the BIST mode.
- **Physical Security:** Ensure devices are housed in locked cabinets or restricted-access areas to prevent unauthorized serial console connections.
## Detection
- **Indicators of Compromise:** Unusual reboots or unauthorized serial console activity.
- **Detection Methods:** Monitor physical access logs to secure enclosures and audit changes to boot configurations or system-level files that may indicate root shell activity.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-094954.html
- **Configuration Manuals:**
- hxxps://support.industry.siemens[.]com/cs/document/109983832/
- hxxps://support.industry.siemens[.]com/cs/document/109983826/
- hxxps://support.industry.siemens[.]com/cs/document/109983829/
- **Industrial Security Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security