Skip to content
Threat Feed
medium advisory

Siemens Ruggedcom Rox Improper Access Control Vulnerability

Siemens Ruggedcom Rox is vulnerable to improper access control, allowing an authenticated remote attacker to read arbitrary files with root privileges from the underlying operating system's filesystem via the web server's JSON-RPC interface, as tracked by CVE-2025-40948.

Siemens Ruggedcom Rox devices are affected by an improper access control vulnerability within the web server’s JSON-RPC interface. This flaw, identified as CVE-2025-40948, could allow an authenticated remote attacker to read arbitrary files with root privileges from the underlying operating system’s filesystem. The affected products include RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 versions prior to 2.17.1. This vulnerability poses a significant risk to critical infrastructure sectors, particularly critical manufacturing, where these devices are commonly deployed worldwide. Successful exploitation could lead to unauthorized access to sensitive system files and potentially compromise the integrity and availability of industrial control systems.

Attack Chain

  1. The attacker gains authenticated access to the Ruggedcom Rox device’s web interface. This could be achieved through stolen credentials, default credentials, or other authentication bypass vulnerabilities.
  2. The attacker crafts a malicious JSON-RPC request targeting the vulnerable endpoint. This request includes a payload designed to exploit the improper input validation.
  3. The malicious JSON-RPC request is sent to the device’s web server.
  4. The web server processes the request without properly validating the input, allowing the attacker to specify arbitrary file paths.
  5. The device attempts to access the specified file path with root privileges.
  6. The device reads the contents of the file and returns them to the attacker.
  7. The attacker gains access to sensitive system information, configuration files, or other critical data.

Impact

Successful exploitation of CVE-2025-40948 allows an authenticated remote attacker to read arbitrary files with root privileges from the underlying operating system’s filesystem on affected Siemens Ruggedcom Rox devices. This could enable the attacker to gain access to sensitive information, such as configuration files, credentials, or other critical data, potentially leading to further compromise of the industrial control system. The vulnerability affects a wide range of Ruggedcom Rox devices, impacting critical infrastructure sectors, particularly critical manufacturing.

Recommendation

  • Apply the vendor-supplied patch to upgrade to version 2.17.1 or later to remediate CVE-2025-40948.
  • Deploy the Sigma rule “Detect CVE-2025-40948 Exploitation Attempt via JSON-RPC” to identify potential exploitation attempts.
  • Monitor webserver logs for unusual JSON-RPC requests targeting the Ruggedcom Rox devices.

Detection coverage 2

Detect CVE-2025-40948 Exploitation Attempt via JSON-RPC

medium

Detects CVE-2025-40948 exploitation attempt - Suspicious JSON-RPC requests to Siemens Ruggedcom Rox devices indicating potential file access attempts.

sigma tactics: credential_access techniques: T1003.001 sources: webserver

Detect CVE-2025-40948 Exploitation Attempt via JSON-RPC POST

medium

Detects CVE-2025-40948 exploitation attempt - Suspicious JSON-RPC POST requests to Siemens Ruggedcom Rox devices indicating potential file access attempts.

sigma tactics: credential_access techniques: T1003.001 sources: webserver

Detection queries are available on the platform. Get full rules →