Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 Devices

Monitor7.5SSA-513708Jun 10, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Palo Alto Networks PAN-OS vulnerabilities affecting RUGGEDCOM APE1808 devices. Multiple CWEs identified including command injection (CWE-78), cross-site scripting (CWE-79), and certificate validation issues (CWE-295). CVSS 7.5, high severity.

What this means

What could happen

An attacker on the network could cause denial of service to the APE1808 firewall/gateway device, disrupting network connectivity and control communications for critical infrastructure systems.

Who's at risk

Operators of Siemens RUGGEDCOM APE1808 industrial gateways/firewalls in manufacturing and critical infrastructure environments should assess this vulnerability. The APE1808 is commonly used to protect communications between control systems, PLCs, and field devices.

How it could be exploited

An attacker with network access to the APE1808 management interface or processing plane could send crafted requests exploiting the command injection or validation flaws to crash services or disable the device, interrupting communications between control systems and field devices.

Prerequisites

Network access to the RUGGEDCOM APE1808 device (management port or data plane)
No authentication required based on CVSS vector (PR:N)
Device must be running an affected firmware version (all current versions)

remotely exploitableno authentication requiredlow complexityaffects gateway/firewall (network availability impact)no patch available for all versionshigh CVSS score (7.5)

Exploitability

Moderate exploit probability (EPSS 3.5%)

Affected products (1)

ProductAffected VersionsFix Status

RUGGEDCOM APE1808All versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXContact Siemens customer support for patch availability and timeline; implement Palo Alto Networks upstream mitigations referenced in their security bulletin

HARDENINGImplement network segmentation to restrict access to APE1808 management interfaces; use firewall rules to limit connections to trusted engineering networks only

WORKAROUNDReview and implement Palo Alto Networks' recommended compensating controls from their upstream security advisory until patches are available

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor the device for signs of exploitation (service restarts, connectivity drops); enable logging on the APE1808 if available

CVEs (8)

CVE-2025-0133 CVE-2025-4229 CVE-2025-4230 CVE-2025-4614 CVE-2025-4615 CVE-2026-0227 CVE-2026-0228 CVE-2026-0229

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f65c36ec-2aaa-434c-8892-490328f6deee