PatchSiren cyber security CVE debrief
CVE-2025-40947 Cert Portal CVE debrief
CVE-2025-40947 affects multiple Siemens RUGGEDCOM ROX devices when user-supplied input is not properly sanitized during feature key installation. According to the advisory, an authenticated remote attacker could inject arbitrary commands and achieve remote code execution with root privileges on the underlying operating system. Siemens and CISA list an update to V2.17.1 or later as the fix.
- Vendor
- Cert Portal
- Product
- Siemens RUGGEDCOM ROX MX5000 vers:intdot/<2.17.1 RUGGEDCOM ROX MX5000RE RUGGEDCOM ROX RX1400 RUGGEDCOM ROX RX1500 RUGGEDCOM ROX RX1501 RUGGEDCOM ROX RX1510 RUGGEDCOM ROX RX1511 RUGGEDCOM ROX RX1512 RUGGEDCOM ROX RX1524 RUGGEDCOM ROX RX1536 RUGGEDCOM ROX RX5000
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT/ICS operators, network and security administrators, and maintenance teams responsible for Siemens RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 devices.
Technical summary
The advisory describes a command-injection condition during the feature key installation process caused by improper input sanitization. The reported attack vector is network-based with low privilege requirements (CVSS v3.1: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), and successful exploitation can yield root-level code execution on the device's underlying operating system.
Defensive priority
High: prioritize remediation on any affected RUGGEDCOM ROX device, especially if authenticated administrative access is used for feature key installation or if the devices are managed remotely.
Recommended defensive actions
- Update affected devices to V2.17.1 or later, per the vendor remediation guidance.
- Review who can perform feature key installation and restrict that capability to trusted administrative accounts.
- Monitor and audit privileged access to the affected devices, with particular attention to feature key installation activities.
- Validate device inventories against the affected product list in the advisory to confirm exposure.
- Use CISA ICS recommended practices and defense-in-depth guidance to reduce the impact of command-injection flaws in OT environments.
Evidence notes
All substantive claims in this debrief are taken from the supplied CISA CSAF advisory ICSA-26-134-11, which republishes Siemens ProductCERT advisory SSA-078743. The source states that affected devices do not properly sanitize user-supplied input during feature key installation, enabling authenticated remote command injection and root RCE. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H with a score of 7.5 (HIGH). Publication timing in the corpus is 2026-05-12, with a source modification/republication on 2026-05-14. The enrichment data indicates this is not a KEV-listed item.
Official resources
-
CVE-2025-40947 CVE record
CVE.org
-
CVE-2025-40947 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-05-12 and republished it on 2026-05-14, reflecting the initial Siemens ProductCERT SSA-078743 advisory. The supplied timeline shows the same dates for the source item; no KEV date is listed.