<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:o:siemens:ruggedcom_rox_rx1510_firmware:*:*:*:*:*:*:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3osiemensruggedcom_rox_rx1510_firmware/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 10:06:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3osiemensruggedcom_rox_rx1510_firmware/feed.xml" rel="self" type="application/rss+xml"/><item><title>Three Chained Zero-Days in Siemens ROX II OT Switches Lead to Root Access</title><link>https://feed.craftedsignal.io/briefs/2026-07-siemens-rox-ii-zero-days/</link><pubDate>Fri, 17 Jul 2026 10:06:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-siemens-rox-ii-zero-days/</guid><description>Unit 42 and Siemens collaborated to disclose three critical chained zero-day vulnerabilities (CVE-2025-40948, CVE-2025-40947, CVE-2025-40949) in Siemens ROX II operational technology switches, allowing an attacker to achieve arbitrary file disclosure, privilege escalation to root, and persistent root-level code execution.</description><content:encoded><![CDATA[<p>A critical chain of three zero-day vulnerabilities (CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949) has been discovered and detailed by Unit 42 in partnership with Siemens, affecting Siemens ROX II operational technology (OT) switches. Successful exploitation of this chain grants an attacker full privilege escalation and persistent root access on these devices, which are integral components of industrial control networks. The vulnerabilities range from Medium to Critical severity, with CVSS 3.1 scores of 6.8, 7.5, and 9.1 respectively. The attack vector progresses through arbitrary file disclosure via insecure <code>xz</code> utility configuration, privilege escalation through command injection in the feature key validation function, and persistent root code execution by injecting malicious commands into the web management task scheduler's cron table. Siemens has released advisories SSA-973901, SSA-078743, and SSA-081142, recommending customers update affected ROX II devices to firmware version V2.17.1.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains network access to the Siemens ROX II device, typically via its management interface.</li>
<li>The attacker exploits CVE-2025-40948, an arbitrary file disclosure vulnerability, by leveraging an insecure configuration of a root-privileged daemon executing the <code>xz</code> utility. By providing specific parameters (<code>-f -c -d</code>) and an arbitrary file path, the attacker can read any file on the switch's file system, including sensitive configuration files, password hashes, and private cryptographic keys.</li>
<li>The attacker analyzes the disclosed information to craft a malicious payload and identify writable directories for subsequent steps.</li>
<li>The attacker uses the web UI's normal file upload functionality for feature keys to upload a crafted feature key file containing a malicious script (e.g., a Python reverse shell) to a writable directory on the switch.</li>
<li>The attacker exploits CVE-2025-40947, a command injection vulnerability, by triggering the feature key validation function. This function fails to sanitize an attacker-controlled payload within the feature key's signature field, which is then inserted directly into a command executed with root privileges via the <code>gpgv</code> utility, granting the attacker full root access.</li>
<li>With root privileges, the attacker exploits CVE-2025-40949 by using the switch’s web management task scheduler to inject malicious commands directly into the system's root cron table.</li>
<li>The injected commands establish persistent code execution, allowing the attacker to maintain full control of the device even after reboots.</li>
<li>The attacker can now perform sustained malicious activities, such as data exfiltration from the industrial network or denial-of-service attacks against critical OT infrastructure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of these chained vulnerabilities transforms Siemens ROX II OT switches, critical components of industrial control networks, into compromised platforms. This provides attackers with persistent root access, undermining the integrity and availability of the industrial network. Such a compromise can lead to severe operational disruptions, unauthorized access to sensitive industrial processes, data exfiltration, and the potential for denial-of-service attacks. The persistence mechanism ensures that malicious activity can continue undetected across system reboots, making remediation challenging and significantly increasing the overall risk to critical infrastructure. While no specific victim counts are given, the nature of OT switches means any targeted sector utilizing these devices (e.g., manufacturing, energy, utilities) would be at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949 by updating affected Siemens ROX II devices to firmware version V2.17.1 immediately, as recommended in Siemens advisories SSA-973901, SSA-078743, and SSA-081142.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune them for your Linux-based OT environments, focusing on <code>process_creation</code> and <code>file_event</code> logs.</li>
<li>Monitor process creation logs for unusual invocations of <code>xz</code> with <code>-f -c -d</code> parameters, indicative of CVE-2025-40948 exploitation.</li>
<li>Monitor process creation logs for <code>gpgv</code> executions containing shell metacharacters or unexpected command line arguments, potentially indicating CVE-2025-40947 exploitation.</li>
<li>Monitor file integrity and modification logs for changes to <code>/etc/crontab</code> or user-specific cron files on Linux systems, which could signal CVE-2025-40949 exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">threat</category><category>industrial-control-systems</category><category>ot-security</category><category>zero-day</category><category>privilege-escalation</category><category>command-injection</category><category>persistence</category><category>siemens</category><category>vulnerability-exploit</category></item></channel></rss>