OTPulse

Siemens RUGGEDCOM ROX II

MonitorCVSS 7.6ICS-CERT ICSA-25-226-20Aug 12, 2025
Siemens
Attack path
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

RUGGEDCOM ROX II devices do not properly restrict access to Built-In-Self-Test (BIST) mode, which can be entered during boot. The BIST mode does not properly enforce authentication, allowing a local attacker with physical access to bypass authentication and obtain root shell access to the device. Affected products include RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1536, RX5000, MX5000, and MX5000RE models, all firmware versions. Siemens is preparing firmware updates and recommends implementing compensating controls until patches are available.

What this means
What could happen
An attacker with physical access to a RUGGEDCOM ROX II device can boot into Built-In-Self-Test (BIST) mode to bypass authentication and gain root shell access, allowing them to reconfigure the device, access sensitive data, or disrupt network operations.
Who's at risk
Water authorities and electrical utilities that use RUGGEDCOM ROX II edge routers and managed switches in their industrial networks, particularly any installations where the devices may be accessible in unmanned equipment rooms or remote sites. Affected equipment includes RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1536, RX5000, MX5000, and MX5000RE models.
How it could be exploited
An attacker with physical access to the device can interrupt the boot process, enter BIST mode, and use undocumented or inadequately protected test functions to obtain an unauthenticated root shell. From there, they can run arbitrary commands on the device.
Prerequisites
  • Physical access to the device during or before boot
  • Ability to interrupt normal boot sequence
  • Knowledge of BIST mode entry procedure
no patch availablephysical access required but often achievable in remote sitesaffects all firmware versionsallows root shell accesstest/debug mode bypass
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (11)
11 EOL
ProductAffected VersionsFix Status
RUGGEDCOM ROX RX1400All versionsNo fix (EOL)
RUGGEDCOM ROX RX1500All versionsNo fix (EOL)
RUGGEDCOM ROX RX1501All versionsNo fix (EOL)
RUGGEDCOM ROX RX1510All versionsNo fix (EOL)
RUGGEDCOM ROX RX1511All versionsNo fix (EOL)
RUGGEDCOM ROX RX1512All versionsNo fix (EOL)
RUGGEDCOM ROX RX1536All versionsNo fix (EOL)
RUGGEDCOM ROX RX5000All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGRestrict physical access to RUGGEDCOM ROX II devices to authorized personnel only, and control access to boot interfaces and console ports.
WORKAROUNDDisable or restrict access to BIST mode through BIOS/firmware settings or physical controls if the device supports such configuration.
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor Siemens security advisories for firmware updates and apply patches to RUGGEDCOM ROX II devices as soon as they become available.
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000, RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1524. Apply the following compensating controls:
HARDENINGDeploy RUGGEDCOM ROX II devices only in physically secure network closets or control rooms with access logging.
HARDENINGImplement network segmentation and firewall rules to limit which systems can communicate with RUGGEDCOM ROX II management interfaces.
View full CISA ICS-CERT advisory
API: /api/v1/advisories/218c18a9-185f-4941-9d8f-d562456555d2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.