Siemens RUGGEDCOM ROS Code Injection
Plan Patch8ICS-CERT ICSA-22-195-18Jul 12, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
RUGGEDCOM ROS-based industrial routers are vulnerable to code injection through the Command Line Interface (CLI). An authenticated attacker can inject malicious commands that are executed on the device, potentially leading to remote code execution. The vulnerability affects a broad range of RUGGEDCOM models used in utility and industrial networks for secure remote management and communications.
What this means
What could happen
An attacker with CLI access could inject and execute arbitrary commands on RUGGEDCOM routers, potentially allowing them to alter network traffic routing, intercept communications between control systems and field devices, or disable remote management capabilities for critical infrastructure.
Who's at risk
Utilities and industrial facilities that use Siemens RUGGEDCOM industrial routers for network management, redundancy, and remote device connectivity. This includes water authorities, electric utilities, and manufacturing plants that rely on these devices for secure communications between field equipment (RTUs, PLCs, IEDs) and control centers. Affected roles include network engineers, control system administrators, and operations staff who manage and configure these devices.
How it could be exploited
An attacker must first obtain valid CLI credentials (engineering workstation account or similar) to connect to the device on port 22/TCP. Once authenticated, they can inject shell metacharacters or code into CLI command inputs to break out of the intended command context and execute arbitrary system commands on the router itself.
Prerequisites
- Valid CLI user credentials for the RUGGEDCOM device (engineering or administrative account)
- Network access to the device on port 22/TCP (SSH) or port 443/TCP (HTTPS-based CLI)
- Device must be accessible from the attacker's network location (internal network segment or compromised management workstation)
Remotely exploitable via CLI/SSHRequires valid credentials (authentication required)Low complexity attack once credentials obtainedAffects multiple product lines and hundreds of device modelsNo patch available for end-of-life 'F' models (M969F, M2100F, M2200F, RS400F, RS416F, RS416PF, RS900F, RS900GF, RS900GPF, RS940GF, RSG2100F, RSG2100PF, RSG2200F, RSG2300F, RSG2300PF, RSG2488F)
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (152)
136 with fix16 pending
ProductAffected VersionsFix Status
RUGGEDCOM i800< 4.3.84.3.8
RUGGEDCOM i800NC< 4.3.84.3.8
RUGGEDCOM i801< 4.3.84.3.8
RUGGEDCOM i801NC< 4.3.84.3.8
RUGGEDCOM i802< 4.3.84.3.8
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDRestrict CLI network access to trusted IP addresses only; limit inbound connections to ports 22/TCP (SSH) and 443/TCP (HTTPS) from management network segments only
HARDENINGImplement strong CLI user authentication; enforce unique passwords for all engineering and administrative accounts on RUGGEDCOM devices and disable any default credentials
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
RUGGEDCOM RS900 (32M) V4.X
HOTFIXUpdate RUGGEDCOM ROS firmware to version 5.6.0 or later for V5.X devices and models that ship with 5.X (RMC8388 V5.X, RS416NCv2 V5.X, RS416PNCv2 V5.X, RS416Pv2 V5.X, RS900 32M V5.X, RSG907R, RSG908C, RSG909R, RSG910C, RSG920P V5.X, RSG2100 32M V5.X, RSG2100P 32M V5.X, RSG2288 V5.X, RSG2300 V5.X, RSG2300P V5.X, RSG2488 V5.X, RSL910, RST916C, RST916P, RST2228, RST2228P)
All products
HOTFIXUpdate RUGGEDCOM ROS firmware to version 4.3.8 or later for V4.X devices (i800, i801, i802, i803, M969, M2100, M2200, RMC30, RP110, RS400, RS401, RS416, RS416v2, RS900, RS910, RS920, RS930, RS940, RS969, RS1600, RS8000, RSG920P, RSG2100, RSG2200, RSG2300, RSG2488)
Long-term hardening
0/1HARDENINGIsolate RUGGEDCOM devices from the internet; place them behind firewalls and configure network segmentation so CLI access is only available from secured management networks, not from business office networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a1ec1633-c49a-4a82-a245-7d30d5570c40