Siemens RUGGEDCOM ROX II
MonitorCVSS 4.1ICS-CERT ICSA-25-226-14Aug 12, 2025
Siemens
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
RUGGEDCOM ROX II devices fail to properly validate the type and size of files uploaded through the web management interface. This allows an attacker with a legitimate high-privilege administrative account to upload arbitrary files to the device filesystem. No fixes are planned for any affected version; Siemens recommends implementing network access controls and following industrial security operational guidelines to protect these devices.
What this means
What could happen
An authenticated attacker with high-privilege web interface access could upload arbitrary files to RUGGEDCOM ROX II devices, potentially allowing execution of malicious code or modification of device configuration that could disrupt critical network routing and communication functions.
Who's at risk
This vulnerability affects organizations operating Siemens RUGGEDCOM ROX II industrial routers used in critical network infrastructure, including water authorities, electric utilities, and other industrial facilities that depend on these devices for secure, reliable communication in OT and hybrid IT/OT environments. All versions of the ROX MX5000, RX1400-RX1512, RX1524, RX1536, and RX5000 families are impacted.
How it could be exploited
An attacker must first gain valid high-privilege credentials for the web management interface of a RUGGEDCOM ROX II device (e.g., administrative account). With these credentials, the attacker exploits the lack of file type and size validation to upload a malicious file—such as a shell script or binary—onto the device filesystem. The uploaded file could then be executed to compromise device operations or network traffic flowing through the router.
Prerequisites
- Valid administrative or high-privilege account credentials for the RUGGEDCOM ROX II web interface
- Network access to the web management interface (typically port 80/443)
- Device must have file upload functionality enabled on the web interface
No patch available (end-of-life products)High-privilege credentials required but commonly shared across operatorsBoundary device with potential to disrupt critical network routingFile upload validation absent on industrial network appliance
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (11)
11 EOL
ProductAffected VersionsFix Status
RUGGEDCOM ROX MX5000All versionsNo fix (EOL)
RUGGEDCOM ROX RX1400All versionsNo fix (EOL)
RUGGEDCOM ROX RX1500All versionsNo fix (EOL)
RUGGEDCOM ROX RX1501All versionsNo fix (EOL)
RUGGEDCOM ROX RX1510All versionsNo fix (EOL)
RUGGEDCOM ROX RX1511All versionsNo fix (EOL)
RUGGEDCOM ROX RX1512All versionsNo fix (EOL)
RUGGEDCOM ROX RX1524All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2HARDENINGRestrict network access to the web management interface of RUGGEDCOM ROX II devices to authorized personnel only using firewall rules or network segmentation
WORKAROUNDMonitor file upload activity and unauthorized changes to device filesystem through logging and alerting
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGEnable strong authentication mechanisms (e.g., multi-factor authentication or certificate-based access) for the web management interface if supported by the device
HARDENINGRegularly audit and rotate credentials for administrative accounts on RUGGEDCOM ROX II devices
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000, RUGGEDCOM ROX MX5000RE. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate RUGGEDCOM ROX II management traffic on a separate administrative VLAN with restricted access
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6a4a6835-96d7-4889-8604-237906824d92Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.