Full Report
Ruggedcom Rox contains an improper access control vulnerability that could allow an authenticated remote attacker to read arbitrary files with root privileges from the underlying operating system’s filesystem. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Arbitrary File Disclosure in Siemens Ruggedcom Rox
## CVE Details
- **CVE ID:** CVE-2025-40948
- **CVSS Score:** 6.8 (Medium) - CVSS v3.1 / 6.1 (Medium) - CVSS v4.0
- **CWE:** CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
## Affected Systems
- **Products:** RUGGEDCOM ROX II family switches
- **Versions:** All versions prior to V2.17.1
- **Configurations:**
- RUGGEDCOM ROX MX5000 / MX5000RE
- RUGGEDCOM ROX RX1400
- RUGGEDCOM ROX RX1500 / RX1501 / RX1510 / RX1511 / RX1512 / RX1524 / RX1536
- RUGGEDCOM ROX RX5000
## Vulnerability Description
The vulnerability exists due to improper input validation within the web server’s **JSON-RPC interface**. This "Improper Neutralization of Argument Delimiters" (CWE-88) allows an authenticated remote attacker to inject arguments that can bypass access controls. Consequently, an attacker can read arbitrary files from the underlying operating system's filesystem with **root privileges**.
## Exploitation
- **Status:** Not reported as exploited in the wild; discovered by Palo Alto Networks OT Threat Research Lab.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Authentication:** Required (High privilege levels: PR:H)
## Impact
- **Confidentiality:** High (Root-level access to the entire OS filesystem)
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
Siemens recommends updating to **V2.17.1 or later**.
- Download Location: hxxps[://]support[.]industry[.]siemens[.]com/cs/ww/en/view/110002017/
### Workarounds
No specific product workarounds are provided. Siemens recommends general security best practices:
- Protect network access to devices with appropriate physical and logical mechanisms.
- Follow Siemens’ operational guidelines for Industrial Security.
## Detection
- **Indicators of compromise:** Audit web server logs for unusual or malformed requests directed at the JSON-RPC interface, specifically those containing system file paths (e.g., `/etc/shadow`, `/etc/passwd`).
- **Detection methods and tools:** Use OT-aware Intrusion Detection Systems (IDS) to monitor traffic to the switch management interface for suspicious JSON-RPC payloads.
## References
- **Vendor Advisory:** SSA-973901 (V1.0)
- **Siemens ProductCERT:** hxxps[://]cert-portal[.]siemens[.]com/productcert/html/ssa-973901[.]html
- **Industrial Security Guidelines:** hxxps[://]www[.]siemens[.]com/cert/operational-guidelines-industrial-security