Code Injection Vulnerability in RUGGEDCOM ROS
Plan Patch8SSA-840800Jul 12, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
RUGGEDCOM ROS-based industrial Ethernet switches contain a code injection vulnerability accessible through the command-line interface (CLI). An authenticated user with CLI access could inject malicious code that is executed by the device, potentially leading to complete compromise of the switch and the networks it connects. The vulnerability affects multiple RUGGEDCOM product lines including M969, M2100, M2200, RS400, RS401, RS416, RS900, RS910, RS920, RS930, RS940, RS1600, RS8000, RMC, RP110, RSG, RSL, and RST series devices. Siemens has released firmware updates (v4.3.8 for v4.x branch and v5.6.0 for v5.x branch) for most affected products, but 13 product variants are end-of-life with no fix planned.
What this means
What could happen
An authenticated attacker with CLI access could inject and execute arbitrary code on the RUGGEDCOM device, potentially gaining full control of the network switch and disrupting communications between critical infrastructure systems like SCADA networks, RTUs, and protective relays.
Who's at risk
This affects water utilities, electric utilities, and other industrial operators using Siemens RUGGEDCOM managed industrial Ethernet switches (M-series, RS-series, RSG-series, RSL-series, RST-series) for network connectivity in SCADA systems, protection relay networks, and other critical OT communication infrastructure. Any organization using RUGGEDCOM devices for inter-device communications in substations, water treatment plants, or power generation facilities should assess their inventory.
How it could be exploited
An attacker with valid CLI credentials (or who has gained them through a prior compromise) connects to the RUGGEDCOM device command line interface. The attacker injects malicious code into a vulnerable input field that is processed without proper sanitization. The device executes the injected commands, allowing the attacker to modify device configuration, monitor traffic, or pivot to connected OT systems.
Prerequisites
- Valid CLI authentication credentials (username and password or SSH key)
- Network access to the RUGGEDCOM device CLI port (typically SSH on port 22 or Telnet on port 23)
- Affected firmware version running on the device
Remotely exploitable via network CLI accessRequires valid authentication credentialsCode injection (CWE-94)Low complexity attack once credentials obtainedAffects network backbone infrastructure used by multiple safety systemsNo patch available for 13 product variants
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (152)
136 with fix16 pending
ProductAffected VersionsFix Status
RUGGEDCOM M969< 4.3.84.3.8
RUGGEDCOM M969FAll versionsNo fix yet
RUGGEDCOM M969NC< 4.3.84.3.8
RUGGEDCOM i800< 4.3.84.3.8
RUGGEDCOM i800NC< 4.3.84.3.8
Remediation & Mitigation
0/6
Do now
0/3WORKAROUNDFor products with no fix available (M969F, RS900GPF, RS940GF, M2100F, M2200F, RS400F, RS416F, RS416PF, RS900F, RS900GF, RSG2100F, RSG2100PF, RSG2200F, RSG2300F, RSG2300PF, RSG2488F), implement network access controls to restrict CLI access to authorized engineering workstations only
HARDENINGRestrict CLI access to the RUGGEDCOM device using firewall rules; only permit connections from authorized management networks or workstations
HARDENINGImplement strong CLI authentication policies: enforce strong passwords or SSH key-based authentication, disable default credentials
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate RUGGEDCOM devices running firmware v4.x to version 4.3.8 or later
HOTFIXUpdate RUGGEDCOM devices running firmware v5.x to version 5.6.0 or later
Long-term hardening
0/1HARDENINGDisable remote CLI access (SSH/Telnet) on RUGGEDCOM devices if local-only management is sufficient
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ac0db115-151b-4276-8019-ac4a51e06895