Siemens RUGGEDCOM ROX II devices are the subject of a newly cataloged vulnerability — tracked as CVE-2025-40761 — that allows an attacker with physical access to the device’s serial interface to bypass authentication through the device’s Built-In-Self-Test (BIST) mode and obtain a root shell, a condition scored high under modern vulnerability metrics and already called out in industry advisories. (tenable.com)
Siemens’ RUGGEDCOM ROX II family is widely deployed in industrial and critical-manufacturing environments for resilient networking in harsh conditions. These devices have been the focus of multiple security advisories in recent years, and the product line’s exposure has made it a common target for coordinated vulnerability disclosure and remediation efforts. (cert-portal.siemens.com)
CISA has archived and periodically republished advisories relating to RUGGEDCOM ROX II vulnerabilities; its public notifications also note that CISA halted ongoing updates for Siemens product advisories after January 10, 2023 and now points operators to Siemens’ ProductCERT for the latest vendor advisories. That change increases the onus on organizations to track Siemens ProductCERT releases and apply vendor guidance promptly. (cisa.gov)
Device-level mitigations (apply first):
The technical details summarized here were corroborated from public vulnerability feeds and vendor advisory summaries; the CVE entry and tracking feeds list the affected models and describe a BIST-mode authentication bypass to root, and Siemens ProductCERT remains the definitive place to confirm fixed firmware and exact remediation steps. (tenable.com, cvefeed.io, cert-portal.siemens.com)
Source: CISA Siemens RUGGEDCOM ROX II | CISA
Background
Siemens’ RUGGEDCOM ROX II family is widely deployed in industrial and critical-manufacturing environments for resilient networking in harsh conditions. These devices have been the focus of multiple security advisories in recent years, and the product line’s exposure has made it a common target for coordinated vulnerability disclosure and remediation efforts. (cert-portal.siemens.com)CISA has archived and periodically republished advisories relating to RUGGEDCOM ROX II vulnerabilities; its public notifications also note that CISA halted ongoing updates for Siemens product advisories after January 10, 2023 and now points operators to Siemens’ ProductCERT for the latest vendor advisories. That change increases the onus on organizations to track Siemens ProductCERT releases and apply vendor guidance promptly. (cisa.gov)
Executive summary — what’s new and why it matters
- Vulnerability: Authentication bypass via alternate path (BIST mode) — attacker gains root shell via physical serial interface access. (tenable.com)
- CVE: CVE-2025-40761 (recently published in vendor and vulnerability feeds). (cvefeed.io, tenable.com)
- Severity: High — CVSS v3.1 reported at 7.6 and CVSS v4 calculated at 8.6 for this issue; both describe a high-impact local/physical attack vector. (tenable.com, cvefeed.io)
- Exploitability: Requires physical access to serial console or equivalent local channel; not currently considered remotely exploitable. (tenable.com)
- Affected models: Broad set of ROX II models (MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, RX5000 — all versions). Operators should treat all listed units as at-risk until they verify firmware/mitigation status. (tenable.com)
- Vendor status: Siemens ProductCERT entry is referenced by public feeds for this CVE (SSA-094954), and vendor mitigation guidance in product manuals is currently the primary recommendation. At the time of writing, public vulnerability trackers identify the issue and Siemens’ product channels are the authoritative place for updates. (cvefeed.io, siemens.com)
Technical overview — how the flaw works
BIST mode and the alternate channel problem
The root cause stems from how the RUGGEDCOM ROX II firmware handles its Built-In-Self-Test (BIST) functionality. BIST is a maintenance/test mode intended for diagnostics; on affected devices it can be entered or abused via a serial (console) interface that is not sufficiently gated when the device is in a certain state. Because this path bypasses normal authentication checks, an attacker with local serial access can obtain an interactive root shell or otherwise execute privileged commands. The issue maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel). (tenable.com, cvefeed.io)Impact model
- Confidentiality: High — root shell access lets an attacker read any file and extract secrets, credentials, or configuration. (tenable.com)
- Integrity: High — attacker can alter configuration, firmware images, or run arbitrary commands. (tenable.com)
- Availability: High — attacker with root privileges can disrupt services, reconfigure interfaces, or render the device inoperable. (tenable.com)
Affected devices — precise list operators must check
Siemens and public vulnerability feeds list the following RUGGEDCOM ROX II models as affected (noted as “all versions” in multiple feeds):- RUGGEDCOM ROX MX5000
- RUGGEDCOM ROX MX5000RE
- RUGGEDCOM ROX RX1400
- RUGGEDCOM ROX RX1500
- RUGGEDCOM ROX RX1501
- RUGGEDCOM ROX RX1510
- RUGGEDCOM ROX RX1511
- RUGGEDCOM ROX RX1512
- RUGGEDCOM ROX RX1524
- RUGGEDCOM ROX RX1536
- RUGGEDCOM ROX RX5000. (tenable.com, cvefeed.io)
Vendor and government guidance — what’s available now
- Siemens ProductCERT is the canonical source for detailed mitigations and firmware updates for RUGGEDCOM ROX devices; recent ROX advisories (other CVEs earlier in 2022–2025) show Siemens actively releasing fixed firmware when server-side or web-interface issues are identified. For this BIST-mode issue Siemens references advisory SSA-094954 in public feeds; operators should monitor ProductCERT pages for SSA-094954 or successor advisories for updates and firmware releases. (siemens.com, cvefeed.io)
- CISA’s public advisories historically consolidate Siemens issues but note that after January 10, 2023 CISA will not continue updating Siemens product advisories beyond initial publication; CISA instead points to Siemens ProductCERT for the most current vendor guidance. CISA also reiterates standard network-defensive practices (isolate ICS networks, firewalling, avoid internet exposure, secure remote access). (cisa.gov)
- Public vulnerability trackers (Tenable, CVE databases and feeds) list CVE-2025-40761 with CVSS ratings and technical descriptions confirming the BIST/serial access bypass scenario; these feeds corroborate the affected-model listing and severity and show that the vulnerability is cataloged in multiple independent trackers. (tenable.com, cvefeed.io)
Mitigation and hardening — short-term measures you can apply now
Siemens’ immediate, model-specific guidance (as captured in vendor documentation and the summary advisory) emphasizes setting a secure boot password where supported and protecting serial/console access. If a vendor firmware patch is not yet available, apply the following layered mitigations to reduce risk.Device-level mitigations (apply first):
- Ensure a secure boot or BIST password is configured when the product manual specifies the option; follow the exact procedure in the product configuration manual for your model to block unauthenticated entry into BIST/diagnostic mode.
- Physically restrict access to devices: place equipment in locked cabinets or secure locations, restrict console (serial) cable access, and use tamper-evident seals on enclosures.
- Where possible, disable or lock down local console access if it is not required for routine maintenance. Document and control any exceptions under change control.
- Apply the principle of least privilege to device accounts and avoid shared administrative credentials. (cert-portal.siemens.com)
- Physically isolate OT/ICS networks from business networks and the internet using firewalls and strict access control lists (ACLs). Use one-directional gateways or data diodes where appropriate. (cisa.gov)
- Enforce network segmentation so that even if a device is compromised via local access, the blast radius is limited. Maintain strict firewall rules between OT and IT zones. (cisa.gov)
- Audit and inventory all RUGGEDCOM ROX devices in your environment: identify locations (physical & network), serial/console access points, firmware version, and maintenance procedures. Maintain an authoritative asset list.
- Monitor logs and implement alerting for suspicious console or firmware access attempts; integrate OT telemetry into centralized security monitoring where possible (while preserving safety and availability constraints).
- If remote maintenance is required, mandate secure, monitored channels (e.g., vendor-managed maintenance VPNs with MFA and session recording), and remove direct internet access for the devices. (cisa.gov)
- Update incident response and business-continuity playbooks for the possibility of local-device root compromise. Include steps to isolate a unit quickly and forensically capture volatile state if feasible.
- Train field technicians on the new risk: restrict ad-hoc console operations, require supervisor sign-off for local diagnostics, and record all physical maintenance sessions.
- If you outsource device maintenance or use third-party integrators, ensure contractual controls require secure handling of console and maintenance credentials and mandate notification for any local access events.
Recommended immediate action checklist (numbered steps)
- Identify each deployed RUGGEDCOM ROX II device and record model, serial number, firmware version, and physical location.
- Verify whether Siemens ProductCERT has published a patch or updated advisory for SSA-094954/CVE-2025-40761; if a patch exists, plan/execute staged updates per vendor guidance. (cert-portal.siemens.com, cvefeed.io)
- If a patch is not available, set secure boot/BIST passwords where supported and recommended in the product manual for your specific model.
- Restrict physical access to all devices; lock cabinets, secure racks, and control serial-port access. Document access and require authorization.
- Apply network controls: ensure the device is not accessible from the internet, segment and firewall the OT network, and restrict management access to a limited set of hardened jump hosts. (cisa.gov)
- Monitor device behavior for new or anomalous shells, logins, or configuration changes; retain logs for forensic analysis.
- Prepare for containment: have rollback images, clean backup configurations, and an escalation path to vendor support and regulatory reporting if you suspect compromise.
If you suspect a device has been compromised
- Immediately isolate the device at Layer 2/3 (block management and control-plane access).
- Preserve logs and capture memory or filesystem images if operationally and legally feasible, documenting chain of custody.
- Rotate any credentials that may have been stored on or accessible through the device’s configuration.
- Engage Siemens ProductCERT or your vendor support channel for forensic guidance and remediation steps. (siemens.com)
- Report confirmed or suspected incidents to your national CSIRT / regulator as required and follow local reporting rules for critical infrastructure. CISA and other national bodies provide reporting instructions for industrial control system incidents. (cisa.gov)
Threat model and risk analysis — why a physical exploit is still critical
An exploit requiring physical access often gets lower attention than a remote RCE, but in industrial and critical-manufacturing contexts the reality is stark:- Many OT assets are dispersed across remote substations, pump stations, and roadside cabinets that may be physically accessible to maintenance staff, contractors, or adversaries given an opportunity. The physical vector thus reduces attacker skill requirements while delivering high-impact results.
- Attackers who can gain a foothold via local access can escalate to persistent, stealthy insiders or install firmware-level implants that survive reboots and appear to be legitimate device behavior.
- Local compromise can be used for targeted sabotage, supply-chain infiltration, or lateral movement to higher-value OT targets. Given these attack patterns, a local, high-severity vulnerability must be treated with equivalent urgency to a remotely exploitable flaw. (tenable.com, cert-portal.siemens.com)
Strengths and limitations of current reporting and vendor response
- Strengths: The vulnerability has been assigned a CVE and appears in multiple public vulnerability databases; Siemens ProductCERT is the recommended authoritative source, and public advisories emphasize standard hardening and segmentation best practices. These formalized channels and standardized scoring (CVSS v3.1/v4) help defenders triage and prioritize. (tenable.com, cert-portal.siemens.com)
- Limitations and risks: CISA’s decision to stop updating Siemens advisories beyond initial disclosures places a heavier burden on asset owners to monitor Siemens’ ProductCERT directly. Some public feeds reference SSA-094954 even when a direct ProductCERT page is slow to appear or is being updated, which can create short windows of uncertainty about the vendor’s recommended remediation, whether a patch is available, or whether mitigations differ per model. Operators should treat any such mismatch cautiously and seek direct vendor confirmation when in doubt. (cisa.gov, cvefeed.io)
- Verification gaps: At the time of writing, consolidated public feeds (Tenable, CVE aggregators) describe CVE-2025-40761 and point to SSA-094954; however, if a vendor firmware release is posted it may not yet be reflected across all third-party trackers. Confirm the latest ProductCERT advisory version and patched firmware via Siemens’ official product-cert pages and the product support portal. If the advisory references a fix, follow Siemens’ published procedure for firmware updates and change control. (tenable.com, cert-portal.siemens.com)
Long-term mitigations and programmatic changes
- Inventory and asset hygiene: Maintain a real-time OT asset inventory with firmware versions, physical locations, and maintenance windows to allow rapid triage of emergent CVEs.
- Physical security program: Expand physical security controls for dispersed OT assets — locks, tamper detection, surveillance, and strict contractor vetting.
- Console hardening: Treat serial console and out-of-band management channels as first-class security controls; require authentication, use secure management appliances for console access, and enforce session logging/recording.
- Vendor relationships: Establish a direct, monitored channel with Siemens ProductCERT or your OEM support account to receive push advisories and to accelerate coordinated disclosure and patching.
- Patch governance for OT: Implement a risk-based patching workflow that balances safety and availability with security; pre-stage firmware in lab environments that mirror production to reduce operational risk on upgrade day. (siemens.com)
Final analysis — what to prioritize now
- Treat all listed ROX II units as potentially vulnerable until verified otherwise. Inventory and immediate physical access controls are the quickest risk reducers.
- Follow Siemens ProductCERT and confirm whether SSA-094954 has an associated firmware update; schedule patches per vendor guidance when available. (cert-portal.siemens.com)
- Apply compensating controls now — secure boot/BIST passwords where documented, restrict console access, and isolate the devices from internet-accessible networks.
The technical details summarized here were corroborated from public vulnerability feeds and vendor advisory summaries; the CVE entry and tracking feeds list the affected models and describe a BIST-mode authentication bypass to root, and Siemens ProductCERT remains the definitive place to confirm fixed firmware and exact remediation steps. (tenable.com, cvefeed.io, cert-portal.siemens.com)
Source: CISA Siemens RUGGEDCOM ROX II | CISA
