Siemens RUGGEDCOM ROX II
Monitor4.1ICS-CERT ICSA-25-226-14Aug 12, 2025
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
RUGGEDCOM ROX II devices do not properly validate file type and size on uploads through the web interface. An attacker with a legitimate, highly privileged account could upload arbitrary files to the device filesystem. Affected models include MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 (all versions).
What this means
What could happen
An attacker with administrative credentials could upload malicious files to these industrial routers, potentially compromising the integrity of the device and any networks it connects. This could disrupt network connectivity for critical infrastructure like water distribution or power systems.
Who's at risk
Water and electric utilities that use Siemens RUGGEDCOM ROX II industrial routers (MX5000, RX1400, RX1500, RX1510, RX1511, RX1512, RX1524, RX1536, RX5000 series) for network connectivity in critical infrastructure. These devices are typically deployed at remote sites, water treatment plants, substations, and other operational control points.
How it could be exploited
An attacker with valid administrative credentials accesses the RUGGEDCOM ROX II web management interface and uploads a malicious file (executable, script, or configuration file) without type or size restrictions. The uploaded file is stored on the device filesystem where it could be executed or used to modify device behavior.
Prerequisites
- Valid administrative account credentials for the web interface
- Network access to the web management interface (typically port 80/443)
- Ability to navigate web interface file upload function
Requires high privileges (administrative credentials)No patch available—vendor preparing fixIndustrial network router—compromise could disrupt operational connectivityFile upload vulnerability (CWE-434)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (11)
11 EOL
ProductAffected VersionsFix Status
RUGGEDCOM ROX MX5000All versionsNo fix (EOL)
RUGGEDCOM ROX RX1400All versionsNo fix (EOL)
RUGGEDCOM ROX RX1500All versionsNo fix (EOL)
RUGGEDCOM ROX RX1501All versionsNo fix (EOL)
RUGGEDCOM ROX RX1510All versionsNo fix (EOL)
RUGGEDCOM ROX RX1511All versionsNo fix (EOL)
RUGGEDCOM ROX RX1512All versionsNo fix (EOL)
RUGGEDCOM ROX RX1524All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDRestrict network access to the web management interface using firewall rules, VLANs, or access control lists—limit to engineering workstations and authorized administrative systems only
HARDENINGImplement strong administrative credential policies: enforce unique, complex passwords and disable default accounts if present
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGMonitor administrative login activity and file uploads on affected devices for unauthorized access attempts
HARDENINGFollow Siemens operational security guidelines (https://www.siemens.com/cert/operational-guidelines-industrial-security) for secure device configuration and operation
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000, RUGGEDCOM ROX MX5000RE. Apply the following compensating controls:
HARDENINGSegment RUGGEDCOM ROX II devices from general IT networks; keep them in a dedicated OT or management zone with strict egress filtering
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6a4a6835-96d7-4889-8604-237906824d92