Siemens RUGGEDCOM ROX II
Act Now9.8ICS-CERT ICSA-21-040-04Feb 9, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities in Siemens RUGGEDCOM ROX II industrial networking devices (models MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX5000) allow remote code execution. The vulnerabilities stem from improper input validation (CWE-20), null pointer dereference (CWE-476), buffer overflow (CWE-787), missing cryptographic validation (CWE-295), and other weaknesses. An unauthenticated attacker with network access can send specially crafted input to the device to trigger the vulnerability and gain full code execution, potentially compromising the device's ability to route traffic, maintain secure tunnels, or enforce firewall policies.
What this means
What could happen
An attacker with network access to a RUGGEDCOM ROX device could execute arbitrary code and fully compromise the device, potentially altering network routing, tunnel configurations, or packet filtering rules that protect critical plant operations or cause denial of service.
Who's at risk
This vulnerability affects operators of Siemens RUGGEDCOM ROX industrial networking devices (specifically the MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, and RX5000 models). These are rugged networking appliances used in power grids, water systems, and other critical infrastructure to provide secure, resilient network connectivity. Any organization using these devices for remote site connectivity, secure tunneling, or industrial network segmentation should prioritize remediation.
How it could be exploited
An attacker reaches the device over the network (port not specified in advisory) and sends a malformed input that bypasses input validation. This triggers a memory corruption or null pointer dereference, allowing code execution with the privileges of the ROX device. The attacker gains full device control without needing credentials.
Prerequisites
- Network reachability to the RUGGEDCOM ROX device over its management or data interface
- No authentication required
- Device running firmware version before 2.14.0
Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (14.5%)Affects network infrastructure critical to plant operations
Exploitability
High exploit probability (EPSS 14.5%)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
RUGGEDCOM ROX MX5000: All<V2.14.02.14.0
RUGGEDCOM ROX RX1400: All<V2.14.02.14.0
RUGGEDCOM ROX RX1500: All<V2.14.02.14.0
RUGGEDCOM ROX RX1501: All<V2.14.02.14.0
RUGGEDCOM ROX RX1510: All<V2.14.02.14.0
RUGGEDCOM ROX RX1511: All<V2.14.02.14.0
RUGGEDCOM ROX RX1512: All<V2.14.02.14.0
RUGGEDCOM ROX RX5000: All<V2.14.02.14.0
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDDisable IPsec on devices where it is not required for network operation, reducing the attack surface
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all RUGGEDCOM ROX devices (MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX5000) to firmware version 2.14.0 or later
Long-term hardening
0/3HARDENINGRestrict network access to RUGGEDCOM ROX devices using firewall rules and access control lists; do not expose devices directly to the Internet
HARDENINGIsolate RUGGEDCOM ROX devices and the control system network from the business network using network segmentation
HARDENINGIf remote access is required, use a VPN with current security patches to create a secure tunnel to the devices
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0e581ddd-6da3-4c5c-bdaf-1a7bbd118517