PatchSiren cyber security CVE debrief
CVE-2025-49794 Cert Portal CVE debrief
CVE-2025-49794 is a critical use-after-free in libxml2 affecting Siemens RUGGEDCOM ROX products covered by the CISA/Siemens advisory. The issue can be triggered during XPath parsing when Schematron uses <sch:name path="..."/> elements, allowing crafted XML input to crash the program and potentially cause other undefined behavior. Siemens lists affected RUGGEDCOM ROX models and recommends updating to V2.17.1 or later.
- Vendor
- Cert Portal
- Product
- Siemens RUGGEDCOM ROX MX5000 vers:intdot/<2.17.1 RUGGEDCOM ROX MX5000RE RUGGEDCOM ROX RX1400 RUGGEDCOM ROX RX1500 RUGGEDCOM ROX RX1501 RUGGEDCOM ROX RX1510 RUGGEDCOM ROX RX1511 RUGGEDCOM ROX RX1512 RUGGEDCOM ROX RX1524 RUGGEDCOM ROX RX1536 RUGGEDCOM ROX RX5000
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT/ICS operators and engineers managing Siemens RUGGEDCOM ROX devices, plus teams that process untrusted XML through libxml2-based workflows. Priority is highest where these devices or parsing pipelines are exposed to external or semi-trusted XML content.
Technical summary
The advisory describes a use-after-free in libxml2 that occurs under specific XPath/Schematron parsing conditions involving <sch:name path="..."/> schema elements. According to the supplied CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), no privileges or user interaction are required, and the likely impact is high integrity and availability loss, with crash and undefined behavior explicitly called out in the description. The source advisory ties the issue to Siemens RUGGEDCOM ROX products and recommends upgrading to V2.17.1 or later.
Defensive priority
Immediate. Treat as a critical patching item for affected Siemens RUGGEDCOM ROX assets and any deployment that ingests untrusted XML/Schematron content.
Recommended defensive actions
- Upgrade affected Siemens RUGGEDCOM ROX devices to V2.17.1 or later, per the advisory.
- Inventory all ROX models listed in the advisory and confirm which versions are deployed.
- Identify any workflows that accept external XML, XPath, or Schematron input and restrict exposure where possible.
- Apply compensating controls to limit access to XML-processing services and management interfaces until patched.
- Test updates in a maintenance window appropriate for OT environments and verify vendor guidance before rollout.
- Monitor for crashes or abnormal behavior in systems that parse XML with libxml2.
Evidence notes
Supplied source data identifies CISA advisory ICSA-26-134-16, republished from Siemens ProductCERT SSA-577017, with publication on 2026-05-12 UTC and a republication/update on 2026-05-14 UTC. The advisory description states a libxml2 use-after-free during XPath parsing when Schematron includes <sch:name path="..."/> elements, and lists Siemens RUGGEDCOM ROX products with remediation to V2.17.1 or later. The supplied enrichment marks this as not KEV-listed.
Official resources
-
CVE-2025-49794 CVE record
CVE.org
-
CVE-2025-49794 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published 2026-05-12 UTC; modified 2026-05-14 UTC. The supplied timeline shows the source advisory published on the same dates, with 2026-05-14 reflecting CISA republication of the Siemens ProductCERT advisory. No KEV listing is present in,