Siemens RUGGEDCOM ROX II
Monitor7.6ICS-CERT ICSA-25-226-20Aug 12, 2025
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
RUGGEDCOM ROX II devices contain an authentication bypass vulnerability in their Built-In-Self-Test (BIST) mode. The BIST mechanism does not properly restrict access, allowing a local attacker to bypass normal authentication and access a root shell on the affected device. This affects all versions of RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 models. Siemens is preparing fix versions and recommends implementing network access controls, physical security, and adherence to industrial security operational guidelines as interim countermeasures.
What this means
What could happen
An attacker with physical access to a RUGGEDCOM ROX II device can bypass authentication through the Built-In-Self-Test (BIST) mode and gain root-level shell access, allowing them to modify device configuration, intercept network traffic, or disrupt communications.
Who's at risk
Water utilities and electric utilities that use Siemens RUGGEDCOM ROX II routing and network appliances for supervisory control, remote site communications, or WAN connectivity should assess their exposure. These devices are commonly deployed at field sites, substations, and treatment plants for secure industrial network operations.
How it could be exploited
An attacker with local access to the device can trigger BIST mode during startup or through physical ports to reach a root shell without providing valid credentials. From there, they can execute arbitrary commands on the device, including modifying firewall rules, routing tables, or VPN settings to alter or intercept network traffic in the control system.
Prerequisites
- Physical access to the RUGGEDCOM ROX II device
- Ability to interact with the device console or BIST interface during boot or operation
No authentication required for exploitationPhysical access required but low complexity to exploitNo patch available for any affected modelAffects network control and communication infrastructureCan enable lateral movement and eavesdropping within the network
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (11)
11 EOL
ProductAffected VersionsFix Status
RUGGEDCOM ROX RX1400All versionsNo fix (EOL)
RUGGEDCOM ROX RX1500All versionsNo fix (EOL)
RUGGEDCOM ROX RX1501All versionsNo fix (EOL)
RUGGEDCOM ROX RX1510All versionsNo fix (EOL)
RUGGEDCOM ROX RX1511All versionsNo fix (EOL)
RUGGEDCOM ROX RX1512All versionsNo fix (EOL)
RUGGEDCOM ROX RX1536All versionsNo fix (EOL)
RUGGEDCOM ROX RX5000All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1HARDENINGRestrict physical access to RUGGEDCOM ROX II devices through locked enclosures, restricted areas, or other physical security measures
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGImplement network segmentation and firewall rules to restrict network access to these devices to only authorized management and process networks
HOTFIXMonitor for security updates from Siemens; apply firmware patches immediately when made available
HARDENINGFollow Siemens operational security guidelines for Industrial Security and recommendations in product manuals for secure device configuration
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/218c18a9-185f-4941-9d8f-d562456555d2