Siemens RUGGEDCOM ROX II

Plan PatchCVSS 9.9ICS-CERT ICSA-25-135-17May 13, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

RUGGEDCOM ROX II devices contain Client-Side Enforcement of Server-Side Security vulnerabilities (CWE-602) in the web interface. An attacker with legitimate privileged credentials could bypass client-side security checks and execute arbitrary code with OS-level privileges on the underlying operating system. This affects RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 series devices running firmware versions below 2.16.5. Siemens has released firmware version 2.16.5 as a fix for all affected models.

What this means

What could happen

An attacker with a legitimate privileged web interface account on a RUGGEDCOM ROX II device could execute arbitrary code on the underlying operating system, potentially allowing them to modify device configuration, intercept network traffic, or disrupt industrial operations.

Who's at risk

This vulnerability affects operators of Siemens RUGGEDCOM ROX II industrial routers, which are commonly used in water utilities, electric utilities, and other critical infrastructure for secure industrial network connectivity. Anyone relying on these devices for remote site access, industrial control network routing, or edge network management should prioritize this update.

How it could be exploited

An attacker with valid engineering or administrator credentials logs into the web interface of a RUGGEDCOM ROX II device. They exploit client-side security enforcement bypasses (CWE-602) to submit malicious payloads that would normally be rejected by browser-side validation. The device accepts and executes these commands on the OS itself, giving the attacker privileged code execution.

Prerequisites

Valid privileged web interface account credentials (engineering or administrator role)
Network access to the web interface (typically HTTP/HTTPS port on the device)
Vulnerable firmware version below 2.16.5

Remotely exploitable over networkRequires valid privileged credentialsLow attack complexityAffects industrial network infrastructureCVSS score 9.9 (critical)

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

RUGGEDCOM ROX MX5000< 2.16.52.16.5

RUGGEDCOM ROX MX5000RE< 2.16.52.16.5

RUGGEDCOM ROX RX1400< 2.16.52.16.5

RUGGEDCOM ROX RX1500< 2.16.52.16.5

RUGGEDCOM ROX RX1501< 2.16.52.16.5

RUGGEDCOM ROX RX1510< 2.16.52.16.5

RUGGEDCOM ROX RX1511< 2.16.52.16.5

RUGGEDCOM ROX RX1512< 2.16.52.16.5

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict web interface access to the RUGGEDCOM ROX II devices to trusted engineering workstations only using network firewall rules or access control lists

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all RUGGEDCOM ROX II devices (MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, RX5000 series) to firmware version 2.16.5 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate RUGGEDCOM ROX II devices from the business network and prevent direct Internet access

HARDENINGEnforce strong, unique passwords for all privileged web interface accounts and implement multi-factor authentication if supported

CVEs (4)

CVE-2025-32469 CVE-2025-33024 CVE-2025-33025 CVE-2025-40591

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c1f97c7d-a48e-4a0b-a68d-50a515549ee8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.