CVE-2025-40948 Cert Portal CVE debrief

Who should care

OT/ICS operators running Siemens RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, or RX5000—especially if the web interface is exposed or used for remote administration.

Technical summary

The flaw is in the web server’s JSON-RPC interface and is described as improper input validation. The advisory indicates an attacker must already be authenticated (CVSS PR:H), but the attack is network-reachable (AV:N) and can still cause high confidentiality impact by enabling arbitrary file reads from the underlying OS with root privileges. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N, and the source references CWE-88.

Defensive priority

Prioritize this as a patch-now issue for any deployed or remotely managed affected device. Even with the authentication requirement, the attack surface is network reachable and the impact is high-value file disclosure at root privilege.

Recommended defensive actions

• Update affected Siemens RUGGEDCOM ROX devices to V2.17.1 or later using the vendor guidance.
• Reduce exposure of the device web interface and JSON-RPC management paths to only trusted administrative networks.
• Verify which assets match the affected product list and version range before and after remediation.
• Review authentication, access control, and remote-management paths around the web server.
• Use CISA ICS recommended practices and defense-in-depth guidance to add compensating controls where patching cannot be immediate.

Evidence notes

This debrief is based on CISA CSAF advisory ICSA-26-134-02, which republishes Siemens ProductCERT advisory SSA-973901. The source corpus identifies the issue as improper input validation in the JSON-RPC interface leading to arbitrary file read with root privileges, with publication on 2026-05-12 and republication on 2026-05-14. No KEV listing or ransomware linkage is present in the supplied data.

Official resources