CVE-2025-40948 Overview
CVE-2025-40948 affects Siemens RUGGEDCOM ROX industrial routers and switches. The web server's JSON-RPC interface fails to properly validate input, allowing an authenticated remote attacker to read arbitrary files from the underlying Linux filesystem with root privileges. The flaw is tracked under CWE-88: Improper Neutralization of Argument Delimiters in a Command. Siemens released firmware version V2.17.1 to address the issue. The vulnerability impacts industrial control system (ICS) environments where RUGGEDCOM ROX devices route and switch traffic in substations, transportation networks, and manufacturing plants.
Critical Impact
An authenticated attacker can read any file on the device, including /etc/shadow, private keys, and configuration backups, with root privileges.
Affected Products
- RUGGEDCOM ROX MX5000 / MX5000RE (all versions before V2.17.1)
- RUGGEDCOM ROX RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536 (all versions before V2.17.1)
- RUGGEDCOM ROX RX5000 (all versions before V2.17.1)
Discovery Timeline
- 2026-05-12 - CVE-2025-40948 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2025-40948
Vulnerability Analysis
The RUGGEDCOM ROX web management interface exposes a JSON-RPC endpoint used for device administration. The endpoint accepts parameters that are passed to underlying operating system commands or file handlers without adequate neutralization of argument delimiters. An authenticated user can craft a JSON-RPC request whose arguments break out of the expected parameter context and instruct the backend process to read files outside the intended scope.
Because the ROX web server and its helper processes run as root, the attacker inherits full read access to the filesystem. Sensitive targets include /etc/shadow, SSH host keys, TLS private keys used by the management interface, NETCONF configuration databases, and certificate stores used for IPsec or 802.1X.
The issue is classified as CWE-88, indicating that argument delimiters such as spaces, quotes, or option flags are not stripped before downstream consumption. The EPSS probability is 0.037% at the 11th percentile, reflecting low observed exploitation activity at publication.
Root Cause
The JSON-RPC handler concatenates client-supplied values into an argument list passed to a privileged file-reading routine. Without strict allowlisting or argument separation, an attacker injects additional arguments or path traversal sequences that redirect the read operation to attacker-chosen files.
Attack Vector
Exploitation requires network access to the device's web management interface and valid authenticated credentials with high privileges. The attacker submits a malicious JSON-RPC request over HTTPS. No user interaction is required. The confidentiality impact extends beyond the vulnerable component to the underlying operating system, meeting the criteria for a subsequent-system scope change.
No public proof-of-concept code is available. See the Siemens Security Advisory SSA-973901 for vendor technical details.
Detection Methods for CVE-2025-40948
Indicators of Compromise
- Unexpected JSON-RPC POST requests to the ROX web interface containing path traversal sequences (../), absolute paths to /etc/, /root/, or /var/ in parameter values, or shell argument delimiters in method parameters.
- Authentication events for administrative accounts from unusual source IP addresses immediately preceding bursts of JSON-RPC traffic.
- Web server access logs showing large or repeated responses to JSON-RPC method calls that normally return small payloads.
Detection Strategies
- Inspect HTTPS traffic to the ROX management interface for malformed or suspicious JSON-RPC payloads using a network IDS or TLS-terminating proxy.
- Correlate administrative login events with subsequent JSON-RPC API calls referencing filesystem paths, flagging deviations from normal operator behavior.
- Forward device syslog and web server logs to a centralized SIEM and apply rules that match path traversal patterns and reads of sensitive files.
Monitoring Recommendations
- Enable verbose audit logging on RUGGEDCOM ROX devices and ship logs off-device to immutable storage.
- Baseline normal JSON-RPC method usage per administrator account and alert on new or rarely used methods.
- Monitor for outbound data transfers from management workstations that follow JSON-RPC sessions, which may indicate exfiltration of stolen files.
How to Mitigate CVE-2025-40948
Immediate Actions Required
- Upgrade all affected RUGGEDCOM ROX devices to firmware V2.17.1 or later as directed in SSA-973901.
- Restrict access to the device web management interface to a dedicated, isolated management VLAN reachable only by authorized engineering workstations.
- Rotate credentials, SSH host keys, and TLS certificates on any device where unauthorized JSON-RPC activity is suspected.
Patch Information
Siemens fixed the vulnerability in RUGGEDCOM ROX firmware V2.17.1. All listed models — MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 — must be upgraded to this version or later. Refer to the Siemens Security Advisory SSA-973901 for download links and upgrade instructions.
Workarounds
- Limit web management access to trusted hosts using device firewall rules or upstream ACLs until firmware can be updated.
- Enforce least-privilege role assignment so that only essential accounts hold the high privileges required to reach the vulnerable JSON-RPC methods.
- Disable the web management interface on devices that can be administered exclusively over CLI or NETCONF on a hardened channel.
# Example: restrict ROX web management to a management subnet
# (adapt to your perimeter firewall syntax)
allow tcp from 10.10.50.0/24 to <rox-mgmt-ip> port 443
deny tcp from any to <rox-mgmt-ip> port 443
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
