{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.credential_access/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":6.8,"id":"CVE-2025-40948"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RUGGEDCOM ROX MX5000","RUGGEDCOM ROX MX5000RE","RUGGEDCOM ROX RX1400","RUGGEDCOM ROX RX1500","RUGGEDCOM ROX RX1501","RUGGEDCOM ROX RX1510","RUGGEDCOM ROX RX1511","RUGGEDCOM ROX RX1512","RUGGEDCOM ROX RX1524","RUGGEDCOM ROX RX1536","RUGGEDCOM ROX RX5000"],"_cs_severities":["medium"],"_cs_tags":["cve","siemens","ruggedcom","ics","file-access","attack.credential_access"],"_cs_type":"advisory","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eSiemens Ruggedcom Rox devices are affected by an improper access control vulnerability within the web server\u0026rsquo;s JSON-RPC interface. This flaw, identified as CVE-2025-40948, could allow an authenticated remote attacker to read arbitrary files with root privileges from the underlying operating system\u0026rsquo;s filesystem. The affected products include RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 versions prior to 2.17.1. This vulnerability poses a significant risk to critical infrastructure sectors, particularly critical manufacturing, where these devices are commonly deployed worldwide. Successful exploitation could lead to unauthorized access to sensitive system files and potentially compromise the integrity and availability of industrial control systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains authenticated access to the Ruggedcom Rox device\u0026rsquo;s web interface. This could be achieved through stolen credentials, default credentials, or other authentication bypass vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JSON-RPC request targeting the vulnerable endpoint. This request includes a payload designed to exploit the improper input validation.\u003c/li\u003e\n\u003cli\u003eThe malicious JSON-RPC request is sent to the device\u0026rsquo;s web server.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request without properly validating the input, allowing the attacker to specify arbitrary file paths.\u003c/li\u003e\n\u003cli\u003eThe device attempts to access the specified file path with root privileges.\u003c/li\u003e\n\u003cli\u003eThe device reads the contents of the file and returns them to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive system information, configuration files, or other critical data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-40948 allows an authenticated remote attacker to read arbitrary files with root privileges from the underlying operating system\u0026rsquo;s filesystem on affected Siemens Ruggedcom Rox devices. This could enable the attacker to gain access to sensitive information, such as configuration files, credentials, or other critical data, potentially leading to further compromise of the industrial control system. The vulnerability affects a wide range of Ruggedcom Rox devices, impacting critical infrastructure sectors, particularly critical manufacturing.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch to upgrade to version 2.17.1 or later to remediate CVE-2025-40948.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2025-40948 Exploitation Attempt via JSON-RPC\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for unusual JSON-RPC requests targeting the Ruggedcom Rox devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T15:03:45Z","date_published":"2026-05-14T15:03:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-siemens-ruggedcom-rox-file-access/","summary":"Siemens Ruggedcom Rox is vulnerable to improper access control, allowing an authenticated remote attacker to read arbitrary files with root privileges from the underlying operating system's filesystem via the web server's JSON-RPC interface, as tracked by CVE-2025-40948.","title":"Siemens Ruggedcom Rox Improper Access Control Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-siemens-ruggedcom-rox-file-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.credential_access","version":"https://jsonfeed.org/version/1.1"}