Siemens RUGGEDCOM ROX II
Plan PatchCVSS 8.8ICS-CERT ICSA-24-347-03Dec 10, 2024
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
A cross-site request forgery (CSRF) vulnerability in the CLI feature of the web interface affects RUGGEDCOM ROX II industrial switches and routers. An attacker can trick an authenticated user into clicking a malicious link to perform unauthorized administrative actions on the device. Siemens has released firmware version 2.16.0 to address this vulnerability. The exploit requires an authenticated user to click a malicious link while logged into the device's web interface.
What this means
What could happen
An attacker can trick an authenticated administrator into clicking a malicious link, allowing the attacker to perform unauthorized administrative actions on the RUGGEDCOM ROX II device, such as modifying network settings, changing access controls, or altering operational configurations.
Who's at risk
Water utilities and electric utilities operating RUGGEDCOM ROX II industrial ethernet switches and routers (MX5000, RX series) used for network infrastructure in substations, pump stations, and control centers should prioritize patching. These devices manage critical communications between PLCs, SCADA systems, and remote terminal units (RTUs).
How it could be exploited
An attacker crafts a malicious web link that performs an administrative action (via CSRF) and tricks an authenticated user into clicking it while logged into the device's web interface. The device's browser then executes the attacker's intended action without the user's knowledge, since the browser automatically includes the user's authentication session cookies.
Prerequisites
- User must be authenticated to the RUGGEDCOM ROX II web interface
- User must click a malicious link while the authenticated session is active
- Device must be reachable from the attacker's network or an attacker-controlled website
remotely exploitablerequires user interaction (clicking malicious link)affects device with administrative web interfacelow complexity attack
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (11)
11 with fix
ProductAffected VersionsFix Status
RUGGEDCOM ROX MX5000<V2.16.02.16.0
RUGGEDCOM ROX MX5000RE<V2.16.02.16.0
RUGGEDCOM ROX RX1400<V2.16.02.16.0
RUGGEDCOM ROX RX1500<V2.16.02.16.0
RUGGEDCOM ROX RX1501<V2.16.02.16.0
RUGGEDCOM ROX RX1510<V2.16.02.16.0
RUGGEDCOM ROX RX1511<V2.16.02.16.0
RUGGEDCOM ROX RX1512<V2.16.02.16.0
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDOnly access RUGGEDCOM ROX II web interface links from trusted sources while authenticated
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all affected RUGGEDCOM ROX II devices to firmware version 2.16.0 or later
Long-term hardening
0/2HARDENINGRestrict network access to RUGGEDCOM ROX II web interface to authorized engineering workstations only using firewall rules
HARDENINGIsolate RUGGEDCOM ROX II devices on a protected OT network segment, not reachable from business networks or the internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2aca4a5d-d629-4f22-be8b-03ad19be01dbGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.