Siemens RUGGEDCOM ROX II

Act Now9.9ICS-CERT ICSA-25-135-17May 13, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple Client-Side Enforcement of Server-Side Security vulnerabilities exist in the web interface of RUGGEDCOM ROX II managed switches (MX5000, RX1400–RX1536, RX5000 series). These vulnerabilities allow an attacker with a legitimate privileged account on the web interface to achieve code execution in the underlying operating system. Affected firmware versions are below 2.16.5. Siemens has released patched firmware (v2.16.5 or later) for all affected models.

What this means

What could happen

An attacker with a privileged web interface account could execute arbitrary code on the underlying operating system of RUGGEDCOM ROX II devices, potentially allowing them to alter network traffic, intercept communications, or compromise the device's integrity and availability.

Who's at risk

Water utilities, electric cooperatives, and other critical infrastructure operators using RUGGEDCOM ROX II managed Ethernet switches for network communications in control system environments. The full line of ROX II devices (MX5000, RX1400–RX1536, RX5000 series) used in industrial networking applications are affected.

How it could be exploited

An attacker must first obtain a legitimate, highly privileged account on the device's web interface (e.g., through credential compromise, phishing, or insider access). They then use client-side enforcement bypasses in the web interface to escalate to OS-level code execution on the affected RUGGEDCOM device.

Prerequisites

Valid privileged (admin-level) web interface credentials
Network access to the RUGGEDCOM ROX II web interface (typically port 80/443)
Vulnerable firmware version (< 2.16.5)

Remotely exploitable over networkRequires valid privileged credentialsAffects network device with control system accessLow attack complexityHigh CVSS score (9.9)

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

RUGGEDCOM ROX MX5000< 2.16.52.16.5

RUGGEDCOM ROX MX5000RE< 2.16.52.16.5

RUGGEDCOM ROX RX1400< 2.16.52.16.5

RUGGEDCOM ROX RX1500< 2.16.52.16.5

RUGGEDCOM ROX RX1501< 2.16.52.16.5

RUGGEDCOM ROX RX1510< 2.16.52.16.5

RUGGEDCOM ROX RX1511< 2.16.52.16.5

RUGGEDCOM ROX RX1512< 2.16.52.16.5

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the web interface of RUGGEDCOM devices using firewall rules or IP allowlisting to trusted engineering workstations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected RUGGEDCOM ROX II devices to firmware version 2.16.5 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate RUGGEDCOM ROX II devices from the Internet and untrusted networks

HARDENINGEnforce strong, unique credentials for privileged web interface accounts and implement multi-factor authentication where possible

CVEs (4)

CVE-2025-32469 CVE-2025-33024 CVE-2025-33025 CVE-2025-40591

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c1f97c7d-a48e-4a0b-a68d-50a515549ee8