CVE-2025-40949: RUGGEDCOM ROX RCE Vulnerability

CVE-2025-40949 Overview

CVE-2025-40949 is a command injection vulnerability [CWE-78] affecting Siemens RUGGEDCOM ROX devices. The flaw exists in the Scheduler functionality of the Web UI, which fails to sanitize user-supplied input before passing it to the task scheduling backend. An authenticated remote attacker can inject operating system commands and execute them with root privileges on the underlying Linux operating system. The vulnerability affects all RUGGEDCOM ROX firmware versions prior to V2.17.1 across the MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 product families. These devices are deployed in industrial and critical infrastructure networks, making compromise particularly impactful for operational technology environments.

Critical Impact

Authenticated attackers gain root-level command execution on industrial network devices, enabling full device compromise and potential lateral movement into OT networks.

Affected Products

• RUGGEDCOM ROX MX5000 and MX5000RE (All versions < V2.17.1)
• RUGGEDCOM ROX RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536 (All versions < V2.17.1)
• RUGGEDCOM ROX RX5000 (All versions < V2.17.1)

Discovery Timeline

• 2026-05-12 - CVE-2025-40949 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2025-40949

Vulnerability Analysis

The vulnerability resides in the Scheduler component of the RUGGEDCOM ROX Web UI. The Scheduler allows administrators to configure recurring tasks on the device. The backend that processes scheduled task definitions does not validate or sanitize user-supplied input before constructing the underlying shell command. An attacker who is authenticated to the Web UI can submit a crafted task definition containing shell metacharacters. The backend then executes the injected payload with root privileges on the embedded Linux operating system.

Successful exploitation provides full control over the network device. Attackers can modify routing tables, inspect or intercept traffic transiting the device, disable security controls, establish persistence, and pivot deeper into segmented industrial networks. RUGGEDCOM ROX devices typically operate at the boundary between IT and OT networks, so compromise affects both environments.

Root Cause

The root cause is improper neutralization of special elements used in an operating system command [CWE-78]. The Scheduler backend concatenates user-supplied task parameters directly into a shell command without input validation, allowlisting, or safe argument passing. Shell metacharacters such as semicolons, backticks, pipes, and command substitution syntax are interpreted by the shell rather than treated as literal data.

Attack Vector

Exploitation requires network access to the Web UI and valid authentication credentials with permission to configure scheduled tasks. The attacker submits a Scheduler task containing an injected command payload. When the backend processes the task, the injected commands execute as root. The vulnerability mechanism is described in the Siemens Security Advisory SSA-081142. No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-40949

Indicators of Compromise

• Unexpected entries in the Scheduler configuration containing shell metacharacters such as ;, &&, |, $(), or backticks
• New or unrecognized cron-style scheduled tasks created by administrative users
• Outbound network connections from the ROX device to unexpected hosts following Web UI activity
• Unusual process activity or files appearing on the device filesystem outside normal configuration paths

Detection Strategies

• Audit RUGGEDCOM ROX device configurations and review all Scheduler tasks for syntactically suspicious values
• Monitor authenticated Web UI sessions for Scheduler API calls submitted by accounts that do not typically configure tasks
• Correlate ROX device administrative logins with subsequent anomalous outbound traffic from the device management interface

Monitoring Recommendations

• Forward RUGGEDCOM ROX syslog data to a centralized SIEM and alert on Scheduler configuration changes
• Track failed and successful Web UI authentication events to detect credential abuse preceding exploitation attempts
• Baseline normal scheduled tasks per device and alert on deviations or additions

How to Mitigate CVE-2025-40949

Immediate Actions Required

• Upgrade affected RUGGEDCOM ROX devices to firmware version V2.17.1 or later
• Restrict Web UI access to a dedicated management network segment and block exposure from untrusted networks
• Rotate credentials for all administrative accounts on affected devices and enforce strong, unique passwords
• Review Scheduler entries on every affected device and remove any unauthorized or suspicious tasks

Patch Information

Siemens has released firmware V2.17.1 for all affected RUGGEDCOM ROX product families. Refer to the Siemens Security Advisory SSA-081142 for download links and product-specific upgrade guidance.

Workarounds

• Limit administrative account assignment to only personnel who require Scheduler access
• Place RUGGEDCOM ROX management interfaces behind a jump host or VPN with multi-factor authentication
• Apply network segmentation between IT and OT zones in accordance with IEC 62443 to limit blast radius if a device is compromised

# Configuration example: restrict Web UI access via ACL on the upstream firewall
# Allow only the dedicated management subnet to reach the ROX Web UI (TCP/443)
iptables -A FORWARD -s 10.10.50.0/24 -d <rox_device_ip> -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d <rox_device_ip> -p tcp --dport 443 -j DROP