ctipilot.ch
← Back to the live brief
NOTABLECVE-2025-40948 +2NATOB1vulnerability

CVE-2025-40948/-40947/-40949 — Siemens RUGGEDCOM ROX II: Unit 42 chains three OT-switch flaws to persistent root

discovered 2026-07-18 04:35 UTCrun 2026-07-18T0409Z-intel2 sourcesmulti-source

Unit 42 published a chained analysis (2026-07-17) of three vulnerabilities in Siemens RUGGEDCOM ROX II, the ruggedised OT switch/router family Siemens positions as a network-security boundary inside industrial networks — rail, utilities, water and manufacturing, including Swiss and European critical infrastructure (Unit 42, 2026-07-17). The chain moves from information disclosure to persistent root. Stage one, CVE-2025-40948 (CVSS 6.8), abuses a root-privileged daemon that invokes the xz utility with attacker-supplied parameters: supplying -f, -c and -d together turns xz into a cat equivalent, letting an attacker read any file on the device — configuration, password hashes, private keys (Unit 42, 2026-07-17). Stage two, CVE-2025-40947 (CVSS 7.5), is command injection in the feature-key signature-verification routine: the parsed signature string is inserted unsanitised into a gpgv command executed via system() as root, so a crafted feature-key file whose signature field carries a command-injection payload runs attacker code as root (typically after the attacker uploads a script through the web UI's normal feature-key upload). Stage three, CVE-2025-40949 (CVSS 9.1), is command injection in the web-management task scheduler — Siemens describes it as an "authenticated remote attacker" injecting commands that "execute arbitrary commands with root privileges" (Siemens ProductCERT SSA-081142, 2026-05-12) — writing malicious entries into the scheduler configuration for persistent, reboot-surviving root execution.

Siemens patched all three in firmware V2.17.1 across the ROX II family (MX5000/MX5000RE, the RX1400–RX1536 line, RX5000) and published advisories SSA-973901, SSA-078743 and SSA-081142; no in-the-wild exploitation is reported. The transferable lesson beyond this device family, per Unit 42, is the anti-pattern: a device invoking a general-purpose CLI utility (here xz) as root inside its own validation logic is a recurring OT/embedded-appliance weakness worth hunting for elsewhere.

Successful exploitation of this chain would allow an attacker to achieve full privilege escalation and persistent root-level access on these devices, which are critical components of industrial control networks.

Palo Alto Networks Unit 42 2026-07-17

Ruggedcom Rox contains an input validation vulnerability in the Scheduler functionality that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system.

Siemens ProductCERT (SSA-081142) 2026-05-12

ATT&CK mapping

4 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Execution TA0002
T1053.003Scheduled Task/Job: Cron

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

overlap matrix · ATT&CK page ↗

T1059.004Command and Scripting Interpreter: Unix Shell

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1053.003Scheduled Task/Job: Cron

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1053.003Scheduled Task/Job: Cron

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

overlap matrix · ATT&CK page ↗

T1068Exploitation for Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.