Siemens RUGGEDCOM ROX industrial networking devices contain a critical OS command injection flaw, tracked as CVE-2025-40949, in the Scheduler function of the Web UI. The vulnerability stems from improper input validation in the task scheduling backend, allowing an authenticated remote attacker to inject arbitrary commands and execute them with root privileges on the underlying operating system. The issue carries a CVSS v3.1 score of 9.1 and was reported by researchers at the Palo Alto Networks OT Threat Research Lab.
Affected products include multiple Siemens RUGGEDCOM ROX lines, including MX5000, MX5000RE, RX1400, RX1500-series, RX1536, and RX5000 devices running versions earlier than 2.17.1. CISA republished Siemens ProductCERT guidance urging organizations to upgrade to fixed releases, restrict network exposure, and follow Siemens industrial security recommendations to reduce the risk of exploitation in operational technology environments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
CISA republished a Siemens ProductCERT advisory for the critical Ruggedcom Rox command injection vulnerability, assigning attention to the issue affecting industrial networking devices. The advisory recommends upgrading, restricting network exposure, and following Siemens industrial security guidance.
Siemens released updated Ruggedcom Rox software, including version 2.17.1, to address CVE-2025-40949 affecting multiple MX5000, RX1400, RX1500-series, RX1536, and RX5000 devices. The vulnerable versions are those earlier than 2.17.1.
Researchers from Palo Alto Networks OT Threat Research Lab reported an OS command injection vulnerability in the Scheduler functionality of Siemens Ruggedcom Rox devices. The flaw allows an authenticated remote attacker to inject commands via the Web UI task scheduling backend and execute arbitrary commands with root privileges.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.