Siemens RUGGEDCOM ROX

Act Now9.8ICS-CERT ICSA-23-194-01Jul 11, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

RUGGEDCOM ROX devices before firmware version 2.16.0 contain multiple high-severity vulnerabilities including weak TLS/SSL configuration (CWE-327, CWE-326), authentication bypass (CWE-287), command injection (CWE-78), buffer overflow (CWE-120), improper input validation (CWE-20), and password handling weaknesses (CWE-276). These issues stem from embedded third-party libraries (curl, OpenSSL) with known CVEs. A network attacker can exploit these to execute arbitrary commands, intercept communications, or crash devices without requiring valid credentials. Siemens has released firmware version 2.16.0 to address these vulnerabilities.

What this means

What could happen

An attacker with network access to a RUGGEDCOM ROX device could execute arbitrary commands, bypass authentication, intercept encrypted communications, or crash the device. This could allow unauthorized control of network infrastructure, interception of industrial traffic, or disruption of connectivity to remote sites and critical plant networks.

Who's at risk

Water utilities, electric utilities, and other infrastructure operators using Siemens RUGGEDCOM ROX industrial switches and routers (MX5000, RX1400–RX1536 series). These devices are critical for connecting remote substations, pump stations, and SCADA networks. Anyone relying on these switches for industrial network connectivity should treat this as high priority.

How it could be exploited

An attacker on the network (or with internet access if the device is exposed) can send a crafted request to the ROX device targeting one of multiple protocol and service vulnerabilities (weak TLS/SSL configuration, authentication bypass, command injection). No valid credentials are required for most attack vectors. Once one vulnerability is exploited, an attacker gains command execution or can pivot to access other network segments.

Prerequisites

Network access to the RUGGEDCOM ROX device on its listening ports (typically management/HTTP/HTTPS ports)
Device running firmware version earlier than 2.16.0
No authentication required for most vulnerability vectors

Remotely exploitable over networkNo authentication required for exploitationLow attack complexityHigh EPSS score (41.2%)Affects industrial network infrastructure (switches/routers)Multiple CWEs including command injection, weak cryptography, and authentication bypass

Exploitability

High exploit probability (EPSS 41.2%)

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

RUGGEDCOM ROX MX5000<V2.16.02.16.0

RUGGEDCOM ROX MX5000RE<V2.16.02.16.0

RUGGEDCOM ROX RX1400<V2.16.02.16.0

RUGGEDCOM ROX RX1500<V2.16.02.16.0

RUGGEDCOM ROX RX1501<V2.16.02.16.0

RUGGEDCOM ROX RX1510<V2.16.02.16.0

RUGGEDCOM ROX RX1511<V2.16.02.16.0

RUGGEDCOM ROX RX1512<V2.16.02.16.0

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to ROX devices using firewall rules—only allow management and monitoring traffic from authorized IT and engineering networks

WORKAROUNDEnsure devices are not reachable from the internet or untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all RUGGEDCOM ROX devices to firmware version 2.16.0 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate control system networks from business networks

HARDENINGUse a VPN or secure out-of-band management channel for any remote access to ROX devices; keep VPN software updated

CVEs (21)

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7265d1b3-f0aa-4cdc-a308-45f0ff9dfad5