Skip to main content

RUGGEDCOM ROX series CVE-2025-40948

| EUVD-2025-209781 MEDIUM
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-05-12 siemens GHSA-xjfj-j4qj-2x75
Information Disclosure
6.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 12, 2026 - 10:22 NVD
6.8 (MEDIUM) 6.1 (MEDIUM)
Analysis Generated
May 12, 2026 - 10:05 vuln.today
CVE Published
May 12, 2026 - 08:20 nvd
MEDIUM 6.8

DescriptionNVD

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.1), RUGGEDCOM ROX MX5000RE (All versions < V2.17.1), RUGGEDCOM ROX RX1400 (All versions < V2.17.1), RUGGEDCOM ROX RX1500 (All versions < V2.17.1), RUGGEDCOM ROX RX1501 (All versions < V2.17.1), RUGGEDCOM ROX RX1510 (All versions < V2.17.1), RUGGEDCOM ROX RX1511 (All versions < V2.17.1), RUGGEDCOM ROX RX1512 (All versions < V2.17.1), RUGGEDCOM ROX RX1524 (All versions < V2.17.1), RUGGEDCOM ROX RX1536 (All versions < V2.17.1), RUGGEDCOM ROX RX5000 (All versions < V2.17.1). Affected devices do not properly validate input in the web server's JSON-RPC interface.

This could allow an authenticated remote attacker to read arbitrary files from the underlying operating system's filesystem with root privileges.

AnalysisAI

Authenticated remote attackers can read arbitrary files from the operating system filesystem with root privileges on affected RUGGEDCOM ROX devices due to improper input validation in the JSON-RPC web server interface. All versions of ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 below V2.17.1 are affected. No public exploit code has been identified at time of analysis.

Technical ContextAI

The vulnerability exists in the JSON-RPC interface exposed by the web server component of RUGGEDCOM ROX industrial networking devices. JSON-RPC is a remote procedure call protocol that exchanges data in JSON format; the vulnerability stems from the device's failure to properly sanitize or validate user-supplied input parameters passed through this interface. The root cause is classified as CWE-88 (Argument Injection or Modification), which typically involves an attacker manipulating function parameters to achieve unintended behavior. By crafting malicious JSON-RPC requests with crafted input, an authenticated remote attacker can bypass access controls and read sensitive system files that would normally be restricted, executing filesystem operations with root-level privileges on the underlying Linux or embedded OS kernel.

RemediationAI

Vendor-released patch: Upgrade all affected RUGGEDCOM ROX devices to firmware version V2.17.1 or later. This update resolves input validation deficiencies in the JSON-RPC interface. For organizations unable to immediately apply the patch, implement network-level access controls to restrict connectivity to the JSON-RPC web interface (typically port 443 or 8443 depending on device configuration) to trusted administrative networks only, using firewall rules or industrial control system (ICS) access lists. Additionally, enforce strong password policies and multi-factor authentication (MFA) for administrative accounts with JSON-RPC access to reduce the attack surface from credential compromise. Regularly audit access logs and JSON-RPC request patterns for anomalous file read operations targeting sensitive system paths. These mitigations reduce exploitability but do not eliminate the underlying vulnerability; patching remains the primary remediation path.

Share

CVE-2025-40948 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy