Siemens RUGGEDCOM ROS Devices

Plan Patch8.8ICS-CERT ICSA-25-294-04Jul 8, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities affect the RUGGEDCOM Operating System (ROS) across numerous network appliance and management device models. The vulnerabilities involve weak cryptographic algorithms (CWE-327), improper error handling (CWE-755), and configuration/deployment issues (CWE-693). Affected devices include industrial routers, managed switches, and control system management appliances. Siemens has released patches for some V5.X products (version 5.10.0 or later) but has stated no fixes are available for most other product families and all V4.X versions.

What this means

What could happen

An attacker with network access to a RUGGEDCOM device could exploit weak cryptography or configuration flaws to intercept sensitive communications, inject malicious configuration commands, or disrupt network connectivity for critical infrastructure systems like water treatment plants or power distribution networks.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Siemens RUGGEDCOM network devices for industrial network management, remote site connectivity, or control system data routing. This includes all RUGGEDCOM RS-series routers, RSG-series managed switches, and M-series/RMC-series management appliances deployed in network segments connecting SCADA systems, RTUs, or other field devices.

How it could be exploited

An attacker on the local network or with routed access to a RUGGEDCOM device can reach unprotected web server (port 80/443) or SSH (port 22) services. By exploiting weak cipher suites or the missing GCM cipher requirement, the attacker can perform man-in-the-middle attacks to intercept management traffic and extract credentials or send rogue configuration commands to alter device behavior.

Prerequisites

Network access to the RUGGEDCOM device on ports 80, 443, or 22
Device is not behind a firewall or ACL restricting these ports to trusted IPs
Weak cipher suites are enabled (default configuration)
Web server or SSH services are enabled (typical default)

Remotely exploitableLow complexity attackNo authentication required for some vectorsWidespread deployment across product linesMost product variants have no fix availableAffects industrial network infrastructure critical to continuous operations

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (87)

34 with fix53 pending

ProductAffected VersionsFix Status

RUGGEDCOM RS900All versionsNo fix yet

RUGGEDCOM RS900 (32M) V4.XAll versionsNo fix yet

RUGGEDCOM RS900 (32M) V5.X< 5.10.05.10.0

RUGGEDCOM RS900GAll versionsNo fix yet

RUGGEDCOM RS900G (32M) V4.XAll versionsNo fix yet

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDRestrict network access to ports 80/tcp, 443/tcp, and 22/tcp on all RUGGEDCOM devices to only trusted IP addresses (engineering workstations, network management servers) using firewall rules or device-level access control lists

WORKAROUNDDisable the web server on RUGGEDCOM devices if it is not required for normal operations and the product firmware supports disabling this service

WORKAROUNDDisable the SSH server on RUGGEDCOM devices if it is not required for normal operations and the product firmware supports disabling this service

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

RUGGEDCOM RS900 (32M) V4.X

HOTFIXFor devices running RUGGEDCOM V5.X firmware on affected product lines (RMC8388, RS416Pv2, RS416v2, RS900/RS900G/RS900GNC 32M variants, RSG2100/RSG2100P/RSG2100NC 32M variants, RSG2288, RSG2300/RSG2300P, RSG2488, RSG907R, RSG908C, RSG909R, RSG910C, RSG920P/RSG920PNC, RSL910/RSL910NC, RST2228/RST2228P, RST916C/RST916P, and RMC8388NC variants): Update to firmware version 5.10.0 or later

All products

HARDENINGConfigure the web client to use only GCM cipher suites when communicating with RUGGEDCOM devices; consult the ROS configuration manual for the list of supported GCM ciphers for your product version

Long-term hardening

0/2

HARDENINGPlace all RUGGEDCOM devices on isolated industrial network segments behind firewalls, separate from business networks; ensure they are not reachable from the internet

HARDENINGFor remote management access, use a VPN tunnel to an out-of-band management network rather than exposing device management ports directly

CVEs (4)

CVE-2023-52236 CVE-2025-41222 CVE-2025-41223 CVE-2025-41224

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ab11143f-77d9-4036-8ff6-4bffea7b4aed