Siemens RUGGEDCOM ROX II

Act NowCVSS 9.8ICS-CERT ICSA-21-040-04Feb 9, 2021

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Siemens RUGGEDCOM ROX II industrial networking devices (models MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX5000) allow remote code execution. The vulnerabilities stem from improper input validation (CWE-20), null pointer dereference (CWE-476), buffer overflow (CWE-787), missing cryptographic validation (CWE-295), and other weaknesses. An unauthenticated attacker with network access can send specially crafted input to the device to trigger the vulnerability and gain full code execution, potentially compromising the device's ability to route traffic, maintain secure tunnels, or enforce firewall policies.

What this means

What could happen

An attacker with network access to a RUGGEDCOM ROX device could execute arbitrary code and fully compromise the device, potentially altering network routing, tunnel configurations, or packet filtering rules that protect critical plant operations or cause denial of service.

Who's at risk

This vulnerability affects operators of Siemens RUGGEDCOM ROX industrial networking devices (specifically the MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, and RX5000 models). These are rugged networking appliances used in power grids, water systems, and other critical infrastructure to provide secure, resilient network connectivity. Any organization using these devices for remote site connectivity, secure tunneling, or industrial network segmentation should prioritize remediation.

How it could be exploited

An attacker reaches the device over the network (port not specified in advisory) and sends a malformed input that bypasses input validation. This triggers a memory corruption or null pointer dereference, allowing code execution with the privileges of the ROX device. The attacker gains full device control without needing credentials.

Prerequisites

Network reachability to the RUGGEDCOM ROX device over its management or data interface
No authentication required
Device running firmware version before 2.14.0

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (14.5%)Affects network infrastructure critical to plant operations

Exploitability

Likely to be exploited — EPSS score 14.5%

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

RUGGEDCOM ROX MX5000: All<V2.14.02.14.0

RUGGEDCOM ROX RX1400: All<V2.14.02.14.0

RUGGEDCOM ROX RX1500: All<V2.14.02.14.0

RUGGEDCOM ROX RX1501: All<V2.14.02.14.0

RUGGEDCOM ROX RX1510: All<V2.14.02.14.0

RUGGEDCOM ROX RX1511: All<V2.14.02.14.0

RUGGEDCOM ROX RX1512: All<V2.14.02.14.0

RUGGEDCOM ROX RX5000: All<V2.14.02.14.0

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable IPsec on devices where it is not required for network operation, reducing the attack surface

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all RUGGEDCOM ROX devices (MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX5000) to firmware version 2.14.0 or later

Long-term hardening

0/3

HARDENINGRestrict network access to RUGGEDCOM ROX devices using firewall rules and access control lists; do not expose devices directly to the Internet

HARDENINGIsolate RUGGEDCOM ROX devices and the control system network from the business network using network segmentation

HARDENINGIf remote access is required, use a VPN with current security patches to create a secure tunnel to the devices

CVEs (6)

CVE-2018-12404 CVE-2018-18508 CVE-2019-11745 CVE-2019-17006 CVE-2019-17007 CVE-2020-1763

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0e581ddd-6da3-4c5c-bdaf-1a7bbd118517

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.