PatchSiren cyber security CVE debrief
CVE-2025-40591 Siemens CVE debrief
CVE-2025-40591 is a high-severity Siemens RUGGEDCOM ROX web-interface flaw disclosed on 2025-05-13. The issue is in the Log Viewers tool, where missing server-side input sanitization can let an authenticated remote attacker trigger command injection. The advisory states this could execute the tail command with root privileges and expose filesystem contents. Siemens and CISA list 11 affected RUGGEDCOM ROX products, including MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000.
- Vendor
- Siemens
- Product
- RUGGEDCOM ROX MX5000
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-13
- Original CVE updated
- 2025-11-11
- Advisory published
- 2025-05-13
- Advisory updated
- 2025-11-11
Who should care
OT/ICS operators using Siemens RUGGEDCOM ROX devices, especially teams managing the web interface, authenticated remote access, or centralized logging on MX5000/MX5000RE and RX-series deployments. Security teams responsible for patching and hardening industrial network appliances should treat this as a priority.
Technical summary
The vulnerable component is the Log Viewers feature in the device web interface. Because server-side input sanitation is missing, crafted input from an authenticated remote user can reach command execution paths. The advisory says the resulting command execution can run tail with root privileges, creating a confidentiality impact by exposing contents of files on the filesystem. CISA’s CSAF advisory lists 11 affected Siemens RUGGEDCOM ROX products and points to Siemens remediation guidance.
Defensive priority
High — prioritize remediation because the attack is remote, requires authentication, and can lead to root-level command execution with broad file disclosure on affected OT devices.
Recommended defensive actions
- Update affected devices to Siemens V2.16.5 or later, as specified in the vendor remediation guidance.
- Restrict access to the device web interface to trusted administrative networks and users only.
- Review and minimize who has authenticated access to Log Viewers and other administrative web functions.
- Apply OT network segmentation and other ICS defense-in-depth controls around management interfaces.
- Monitor for unusual administrative activity or unexpected use of log-viewing functions on affected devices.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-25-135-17 and the Siemens advisory referenced there. The source record states the flaw is a command injection issue in the Log Viewers web tool caused by missing server-side input sanitation, affecting 11 Siemens RUGGEDCOM ROX products. It also states that an authenticated remote attacker could execute tail with root privileges and disclose filesystem contents. Published date used here is 2025-05-13; the 2025-11-11 update is an advisory revision, not the vulnerability origination date.
Official resources
-
CVE-2025-40591 CVE record
CVE.org
-
CVE-2025-40591 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA/Siemens advisory on 2025-05-13. The source record was revised on 2025-11-11 to add an acknowledgement, but the vulnerability publication date remains 2025-05-13.