Siemens RUGGEDCOM ROS Devices

Plan PatchCVSS 8.8ICS-CERT ICSA-25-294-04Jul 8, 2025

Siemens

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Siemens RUGGEDCOM Operating System (ROS) allow attackers to bypass authentication and gain administrative access to industrial network switches. The vulnerabilities include weak cryptographic implementations (CWE-327), improper error handling (CWE-755), and insufficient access controls (CWE-693). Affected devices include over 70 RUGGEDCOM switch models. Only a subset of V5.X firmware versions have patches available; V4.X and earlier versions have no fix planned. Siemens recommends network access restrictions and service deactivation for unpatched devices.

What this means

What could happen

An attacker on the local network segment could gain administrative access to RUGGEDCOM industrial switches without authentication, allowing them to modify network configurations, redirect traffic, or disable network connectivity that critical infrastructure devices depend on.

Who's at risk

This vulnerability affects Siemens RUGGEDCOM industrial switches, which are purpose-built network devices deployed in critical infrastructure networks including water authorities, electric utilities, and other industrial sites. A majority of RUGGEDCOM product lines (V4.X versions and many V5.X models) have no patch available. Operators running affected models must implement network access controls immediately to prevent unauthorized administrative access.

How it could be exploited

An attacker with network access to ports 22, 80, or 443 (SSH, HTTP, HTTPS) can send crafted requests to bypass authentication controls or exploit weak cryptographic implementations. The attacker gains administrative privileges and can reconfigure the device, sniff traffic, or disrupt network operations for connected control systems.

Prerequisites

Network access to ports 22/tcp (SSH), 80/tcp (HTTP), or 443/tcp (HTTPS) on the RUGGEDCOM device
Device must be on the same network segment or reachable via routed network path
No valid credentials required for exploitation

Remotely exploitable over networkNo authentication required for some attack pathsLow exploit complexityMajority of affected products have no vendor fix available (end-of-life versions)Affects network infrastructure for safety-critical systemsHigh CVSS score (8.8)

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (87)

34 with fix53 pending

ProductAffected VersionsFix Status

RUGGEDCOM RS900All versionsNo fix yet

RUGGEDCOM RS900 (32M) V4.XAll versionsNo fix yet

RUGGEDCOM RS900 (32M) V5.X< 5.10.05.10.0

RUGGEDCOM RS900GAll versionsNo fix yet

RUGGEDCOM RS900G (32M) V4.XAll versionsNo fix yet

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDRestrict network access to ports 22/tcp, 80/tcp, and 443/tcp to trusted IP addresses and management networks only. Implement firewall rules at network edge and on adjacent switches.

WORKAROUNDDisable SSH server on the RUGGEDCOM device if remote terminal access is not required for operations or maintenance.

WORKAROUNDDisable the web server (HTTP/HTTPS) on the RUGGEDCOM device if web-based management is not required for operations or maintenance.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

RUGGEDCOM RS900 (32M) V4.X

HOTFIXFor RUGGEDCOM devices running V5.X firmware (RS900 32M, RS900G 32M, RSG2100 32M, RSG2100P 32M, RSG2288, RSG2300, RSG2300P, RSG2488, RSG907R, RSG908C, RSG909R, RSG910C, RSG920P, RSL910, RST2228, RST2228P, RST916C, RST916P, RMC8388, RS416Pv2, RS416v2, and NC variants): Update to firmware version 5.10.0 or later.

All products

HARDENINGFor devices using TLS/HTTPS: configure the web client to use only GCM (Galois/Counter Mode) cipher suites to mitigate weak encryption vulnerabilities. Consult the RUGGEDCOM ROS configuration manual for the list of supported cipher suites.

Long-term hardening

0/1

HARDENINGIsolate RUGGEDCOM switches and connected control system networks from the business network using air-gapped networks or demilitarized zones (DMZ). Implement network segmentation so these devices are not reachable from untrusted network segments.

CVEs (4)

CVE-2023-52236 CVE-2025-41222 CVE-2025-41223 CVE-2025-41224

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ab11143f-77d9-4036-8ff6-4bffea7b4aed

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.