CVE-2025-40949 - Siemens RUGGEDCOM ROX Web UI Command Injection

A critical command injection vulnerability, identified as CVE-2025-40949, affects multiple RUGGEDCOM ROX devices. Specifically, the vulnerability resides in the Scheduler functionality of the Web UI. Versions prior to V2.17.1 of the RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 are affected. The root cause of this vulnerability is the insufficient sanitization of user-supplied input, which allows an authenticated attacker to inject arbitrary commands into the task scheduling backend. Successful exploitation allows a remote attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device. This poses a significant risk to industrial control systems (ICS) environments where these devices are commonly deployed.

Attack Chain

1. An attacker gains authenticated access to the RUGGEDCOM ROX Web UI.
2. The attacker navigates to the Scheduler functionality within the Web UI.
3. The attacker injects malicious commands into a user-supplied input field (e.g., task name, command to execute, schedule).
4. The injected commands are not properly sanitized by the application.
5. When the scheduler processes the task, the injected commands are executed by the underlying operating system with root privileges.
6. The attacker achieves arbitrary command execution, potentially allowing them to install malware, modify configurations, or disrupt operations.
7. The attacker leverages the initial access to pivot to other network resources or maintain persistence on the device.

Impact

Successful exploitation of CVE-2025-40949 allows an authenticated remote attacker to execute arbitrary commands with root privileges on the RUGGEDCOM ROX device. This could lead to complete system compromise, allowing the attacker to disrupt critical infrastructure operations, steal sensitive data, or use the compromised device as a pivot point to attack other systems within the network. Given the widespread use of RUGGEDCOM devices in industrial control systems, the potential impact is significant and could affect various sectors, including energy, transportation, and manufacturing.

Recommendation

• Upgrade all affected RUGGEDCOM ROX devices to version V2.17.1 or later to patch CVE-2025-40949.
• Monitor web server logs for suspicious activity related to the Scheduler functionality of the Web UI (reference: webserver log source).
• Implement the Sigma rules provided below to detect potential exploitation attempts targeting CVE-2025-40949.