CVE-2025-40949 Cert Portal CVE debrief

Who should care

OT/ICS operators, plant engineers, and security teams managing Siemens RUGGEDCOM ROX MX5000 and related ROX devices listed in the advisory, especially environments where the Web UI is reachable by authenticated users.

Technical summary

The advisory describes a command-injection issue in the Scheduler functionality of the device Web UI. Because the backend does not properly sanitize user-controlled input, an attacker who can authenticate and reach the Web UI may be able to inject operating-system commands through scheduling requests. The published CVSS 3.1 vector is AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, yielding a 9.1 Critical score. The described impact includes arbitrary command execution with root privileges.

Defensive priority

Urgent — apply the vendor fix as soon as practical and reduce access to the Web UI until patched.

Recommended defensive actions

• Update affected devices to V2.17.1 or later, per Siemens remediation guidance.
• Restrict Web UI access to trusted administrative networks and least-privilege accounts.
• Review scheduler-related configuration and audit device logs for unexpected job or command activity.
• Verify exposure across all ROX models listed in the advisory and prioritize remediation for internet-facing or widely reachable management interfaces.
• Follow CISA ICS recommended practices for segmentation, access control, and defense-in-depth while remediation is underway.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-26-134-12 (republished from Siemens ProductCERT SSA-081142) and the supplied advisory metadata. The source description states that the Web UI Scheduler input is not properly sanitized and that successful exploitation can lead to arbitrary command execution with root privileges. The advisory was published on 2026-05-12 and modified on 2026-05-14. No KEV listing was supplied for this CVE.

Official resources