OTPulse

Siemens RUGGEDCOM ROX

Act NowCVSS 9.8ICS-CERT ICSA-23-194-01Jul 11, 2023
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

RUGGEDCOM ROX devices before firmware version 2.16.0 contain multiple high-severity vulnerabilities including weak TLS/SSL configuration (CWE-327, CWE-326), authentication bypass (CWE-287), command injection (CWE-78), buffer overflow (CWE-120), improper input validation (CWE-20), and password handling weaknesses (CWE-276). These issues stem from embedded third-party libraries (curl, OpenSSL) with known CVEs. A network attacker can exploit these to execute arbitrary commands, intercept communications, or crash devices without requiring valid credentials. Siemens has released firmware version 2.16.0 to address these vulnerabilities.

What this means
What could happen
An attacker with network access to a RUGGEDCOM ROX device could execute arbitrary commands, bypass authentication, intercept encrypted communications, or crash the device. This could allow unauthorized control of network infrastructure, interception of industrial traffic, or disruption of connectivity to remote sites and critical plant networks.
Who's at risk
Water utilities, electric utilities, and other infrastructure operators using Siemens RUGGEDCOM ROX industrial switches and routers (MX5000, RX1400–RX1536 series). These devices are critical for connecting remote substations, pump stations, and SCADA networks. Anyone relying on these switches for industrial network connectivity should treat this as high priority.
How it could be exploited
An attacker on the network (or with internet access if the device is exposed) can send a crafted request to the ROX device targeting one of multiple protocol and service vulnerabilities (weak TLS/SSL configuration, authentication bypass, command injection). No valid credentials are required for most attack vectors. Once one vulnerability is exploited, an attacker gains command execution or can pivot to access other network segments.
Prerequisites
  • Network access to the RUGGEDCOM ROX device on its listening ports (typically management/HTTP/HTTPS ports)
  • Device running firmware version earlier than 2.16.0
  • No authentication required for most vulnerability vectors
Remotely exploitable over networkNo authentication required for exploitationLow attack complexityHigh EPSS score (41.2%)Affects industrial network infrastructure (switches/routers)Multiple CWEs including command injection, weak cryptography, and authentication bypass
Exploitability
Likely to be exploited — EPSS score 37.8%
Public Proof-of-Concept (PoC) on GitHub (5 repositories)
Affected products (11)
11 with fix
ProductAffected VersionsFix Status
RUGGEDCOM ROX MX5000<V2.16.02.16.0
RUGGEDCOM ROX MX5000RE<V2.16.02.16.0
RUGGEDCOM ROX RX1400<V2.16.02.16.0
RUGGEDCOM ROX RX1500<V2.16.02.16.0
RUGGEDCOM ROX RX1501<V2.16.02.16.0
RUGGEDCOM ROX RX1510<V2.16.02.16.0
RUGGEDCOM ROX RX1511<V2.16.02.16.0
RUGGEDCOM ROX RX1512<V2.16.02.16.0
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDRestrict network access to ROX devices using firewall rules—only allow management and monitoring traffic from authorized IT and engineering networks
WORKAROUNDEnsure devices are not reachable from the internet or untrusted networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all RUGGEDCOM ROX devices to firmware version 2.16.0 or later
Long-term hardening
0/2
HARDENINGImplement network segmentation to isolate control system networks from business networks
HARDENINGUse a VPN or secure out-of-band management channel for any remote access to ROX devices; keep VPN software updated
View full CISA ICS-CERT advisory
API: /api/v1/advisories/7265d1b3-f0aa-4cdc-a308-45f0ff9dfad5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.