ctipilot.ch

Siemens RUGGEDCOM ROX II arbitrary file disclosure via root-privileged xz misuse (CVSS 6.8); Unit 42 chain

cve · CVE-2025-40948

Coverage timeline
1
first 2026-07-18 → last 2026-07-18
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
2
see Related entities below
ATT&CK techniques
4
pinned v19.1 · see below

Hunting pivots

Affected products
Siemens RUGGEDCOM ROX II

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-18/siemens-ruggedcom-rox-ii-unit42-three-cve-chain · ATT&CK page ↗

Execution TA0002

T1053.003Scheduled Task/Job: Cron×1

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

Evidence: 2026-07-18/siemens-ruggedcom-rox-ii-unit42-three-cve-chain · ATT&CK page ↗

T1059.004Command and Scripting Interpreter: Unix Shell×1

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Evidence: 2026-07-18/siemens-ruggedcom-rox-ii-unit42-three-cve-chain · ATT&CK page ↗

Persistence TA0003

T1053.003Scheduled Task/Job: Cron×1

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

Evidence: 2026-07-18/siemens-ruggedcom-rox-ii-unit42-three-cve-chain · ATT&CK page ↗

Privilege Escalation TA0004

T1053.003Scheduled Task/Job: Cron×1

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

Evidence: 2026-07-18/siemens-ruggedcom-rox-ii-unit42-three-cve-chain · ATT&CK page ↗

T1068Exploitation for Privilege Escalation×1

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

Evidence: 2026-07-18/siemens-ruggedcom-rox-ii-unit42-three-cve-chain · ATT&CK page ↗

Story timeline

  1. 2026-07-18CVE-2025-40948/-40947/-40949 — Siemens RUGGEDCOM ROX II: Unit 42 chains three OT-switch flaws to persistent root
    trending-vulnerabilitiesUnit 42 publishes a full RUGGEDCOM ROX II exploit chain — file disclosure, feature-key command injection, and task-scheduler persistence to root

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • cert-portal.siemens.com1 (50%)
  • unit42.paloaltonetworks.com1 (50%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Siemens RUGGEDCOM ROX II arbitrary file disclosure via root-privileged xz misuse (CVSS 6.8); Unit 42 chain (1)

2026-07-18 · view entry permalink →

NOTABLECVE-2025-40948 +2NATOB1

CVE-2025-40948/-40947/-40949 — Siemens RUGGEDCOM ROX II: Unit 42 chains three OT-switch flaws to persistent root

Unit 42 published a chained analysis (2026-07-17) of three vulnerabilities in Siemens RUGGEDCOM ROX II, the ruggedised OT switch/router family Siemens positions as a network-security boundary inside industrial networks — rail, utilities, water and manufacturing, including Swiss and European critical infrastructure (Unit 42, 2026-07-17). The chain moves from information disclosure to persistent root. Stage one, CVE-2025-40948 (CVSS 6.8), abuses a root-privileged daemon that invokes the xz utility with attacker-supplied parameters: supplying -f, -c and -d together turns xz into a cat equivalent, letting an attacker read any file on the device — configuration, password hashes, private keys (Unit 42, 2026-07-17). Stage two, CVE-2025-40947 (CVSS 7.5), is command injection in the feature-key signature-verification routine: the parsed signature string is inserted unsanitised into a gpgv command executed via system() as root, so a crafted feature-key file whose signature field carries a command-injection payload runs attacker code as root (typically after the attacker uploads a script through the web UI's normal feature-key upload). Stage three, CVE-2025-40949 (CVSS 9.1), is command injection in the web-management task scheduler — Siemens describes it as an "authenticated remote attacker" injecting commands that "execute arbitrary commands with root privileges" (Siemens ProductCERT SSA-081142, 2026-05-12) — writing malicious entries into the scheduler configuration for persistent, reboot-surviving root execution.

Siemens patched all three in firmware V2.17.1 across the ROX II family (MX5000/MX5000RE, the RX1400–RX1536 line, RX5000) and published advisories SSA-973901, SSA-078743 and SSA-081142; no in-the-wild exploitation is reported. The transferable lesson beyond this device family, per Unit 42, is the anti-pattern: a device invoking a general-purpose CLI utility (here xz) as root inside its own validation logic is a recurring OT/embedded-appliance weakness worth hunting for elsewhere.

Successful exploitation of this chain would allow an attacker to achieve full privilege escalation and persistent root-level access on these devices, which are critical components of industrial control networks.

Palo Alto Networks Unit 42 2026-07-17

Ruggedcom Rox contains an input validation vulnerability in the Scheduler functionality that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system.

Siemens ProductCERT (SSA-081142) 2026-05-12
vulnerability18 Jul 04:35Zmulti-sourceOpen finding ↗