CVE-2025-49796 Cert Portal CVE debrief

Who should care

OT/ICS operators, integrators, and maintainers of the Siemens RUGGEDCOM ROX devices listed in the advisory, especially where systems process untrusted or externally supplied XML.

Technical summary

According to the advisory text, processing specific sch:name elements in input XML can corrupt memory in libxml2. The supplied CVSS vector indicates a network-reachable, low-complexity issue with no privileges or user interaction required, and with high integrity and availability impact. The practical result can be application or device crashes and potentially broader undefined behavior due to memory corruption.

Defensive priority

Urgent. Treat as a critical patching item and validate whether any affected RUGGEDCOM ROX device or workflow parses XML exposed to untrusted input.

Recommended defensive actions

• Update affected Siemens RUGGEDCOM ROX products to V2.17.1 or later, per Siemens ProductCERT guidance.
• Inventory RUGGEDCOM ROX systems and confirm whether they fall under the advisory's affected product list.
• Reduce exposure of XML parsing paths to untrusted input wherever operationally possible.
• Apply defense-in-depth controls around industrial devices, including network segmentation and strict access controls.
• Monitor affected systems for crashes or abnormal behavior that could indicate malformed XML handling issues.

Evidence notes

Source evidence comes from CISA advisory ICSA-26-134-16 republishing Siemens ProductCERT SSA-577017 on 2026-05-14, with the initial advisory publication dated 2026-05-12. The advisory text states that processing certain sch:name elements in input XML can trigger memory corruption in libxml2, and the remediation listed is to update to V2.17.1 or later. The CVSS vector supplied with the advisory is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.

Official resources