Siemens ROX II Zero-Day Vulnerabilities (CVE-2025-40947, CVE-2025-40948, CVE-2025-40949)

Siemens ROX II Zero-Day Chain Allows Full Root Access on OT Switches

CRITICAL
July 17, 2026
9m read
VulnerabilityIndustrial Control SystemsThreat Intelligence

Related Entities

Organizations

Products & Tech

CVE Identifiers

CVE-2025-40948
MEDIUM
CVSS:6.8
CVE-2025-40947
HIGH
CVSS:7.5
CVE-2025-40949
CRITICAL
CVSS:9.1

Full Report

Executive Summary

In a coordinated disclosure with Siemens, researchers from Palo Alto Networks Unit 42 have detailed a critical, three-stage exploit chain affecting Siemens RUGGEDCOM ROX II operational technology (OT) switches. The three chained zero-day vulnerabilities are tracked as CVE-2025-40948 (Arbitrary File Disclosure, CVSS 6.8), CVE-2025-40947 (Privilege Escalation, CVSS 7.5), and CVE-2025-40949 (Persistence via Scheduled Tasks, CVSS 9.1). When combined, these flaws allow an attacker to escalate privileges to root and establish persistent control over a compromised switch.

These devices are integral to network security and communication in industrial environments. A successful exploit could transform a trusted network device into a malicious platform, enabling attackers to pivot deeper into critical infrastructure networks, disrupt operations, or exfiltrate sensitive data. Siemens has issued security advisories and released firmware version V2.17.1 to remediate these vulnerabilities. All operators of affected ROX II devices are strongly advised to apply the update immediately.


Vulnerability Details

The attack unfolds in a three-step sequence, leveraging each vulnerability to progressively deepen the compromise. This chain demonstrates how seemingly moderate flaws can be combined to achieve a critical impact.

Stage 1: Information Disclosure (CVE-2025-40948)

  • CVE ID: CVE-2025-40948
  • CVSS 3.1 Score: 6.8 (Medium)
  • Description: This arbitrary file disclosure vulnerability exists within a privileged daemon running on the ROX II operating system. Researchers found that they could abuse the legitimate xz Linux utility, which is accessible to the daemon. By passing specific parameters (-f, -c, -d), an attacker can force the xz command to act like the cat command, printing the contents of arbitrary files on the system. This allows an attacker to read sensitive information, such as configuration files, password hashes, or network topology data, which is then used to plan the next stage of the attack.

Stage 2: Privilege Escalation (CVE-2025-40947)

  • CVE ID: CVE-2025-40947
  • CVSS 3.1 Score: 7.5 (High)
  • Description: This is the core vulnerability in the chain. After gaining initial information, an attacker can exploit a flaw in the switch's feature key functionality. This mechanism is designed to unlock optional software capabilities on the device. Through reverse engineering, researchers discovered a logical flaw that could be manipulated to execute code with root privileges. This successfully bypasses all standard security measures and grants the attacker complete control over the switch's operating system.

Stage 3: Persistence (CVE-2025-40949)

  • CVE ID: CVE-2025-40949
  • CVSS 3.1 Score: 9.1 (Critical)
  • Description: To ensure their access survives a system reboot, the attacker leverages this third vulnerability. An authenticated attacker with root privileges can exploit the switch's task scheduling functionality. This allows them to schedule malicious scripts or commands to run automatically at specified intervals with root permissions. This establishes a persistent foothold on the device, making the compromise difficult to detect and eradicate. The persistent access can be used for long-term data exfiltration, ongoing denial-of-service attacks, or to maintain a launchpad for further attacks within the OT network.

Affected Systems

The vulnerabilities affect the following products:

  • Siemens RUGGEDCOM ROX II portfolio: All versions prior to V2.17.1.

Siemens has released firmware version V2.17.1 to address these issues. Customers are directed to consult Siemens Security Advisories SSA-973901, SSA-078743, and SSA-081142 for detailed information.


Exploitation Status

These vulnerabilities were discovered by Unit 42 researchers and responsibly disclosed to Siemens through a collaborative partnership. At the time of disclosure, there is no evidence of these vulnerabilities being actively exploited in the wild. However, with the public release of technical details, the risk of exploitation by malicious actors increases significantly. The availability of a clear, three-step path to root access makes these vulnerabilities an attractive target for threat actors focusing on industrial environments.


Impact Assessment

A successful exploit of this vulnerability chain poses a severe threat to any organization relying on Siemens ROX II switches. As core components of an OT network, these switches manage traffic between critical assets like Human-Machine Interfaces (HMIs) and Programmable Logic Controllers (PLCs).

Compromising the switch itself has several critical impacts:

  • Loss of Network Integrity: The switch can no longer be trusted to enforce network segmentation, potentially exposing sensitive control systems to unauthorized access.
  • Platform for Attack Pivoting: An attacker can use the compromised switch as a persistent base of operations to launch further attacks against other devices within the OT network.
  • Denial of Service (DoS): The attacker could disrupt, manipulate, or block traffic, potentially halting industrial processes and causing significant operational downtime and financial loss.
  • Data Exfiltration: Sensitive operational data, network configurations, and intellectual property could be exfiltrated from the network.

Given their role in critical infrastructure sectors like manufacturing and energy, the compromise of these devices could lead to physical safety risks and widespread service disruption.


IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source article.

Cyber Observables — Hunting Hints

The following patterns could indicate related malicious activity or attempts to exploit these vulnerabilities:

Type
Command Line Pattern
Value
xz -f -c -d
Description
The xz utility being used with parameters that cause it to output file contents. This is highly anomalous.
Type
Log Source
Value
Shell command history, auditd logs
Description
These logs may capture suspicious command executions on the device.
Type
File Path
Value
Modifications to cron jobs or task scheduler configurations
Description
Unexpected changes could indicate persistence attempts (/etc/cron.d/, /etc/crontab).
Type
Network Traffic
Value
Anomalous outbound connections from the switch management interface
Description
Connections to unknown external IPs could signify data exfiltration or C2 communication.

Detection & Response

Security teams should focus on both endpoint and network-level detection strategies.

  1. Vulnerability Scanning: Use vulnerability management tools to scan for Siemens ROX II devices running firmware versions prior to V2.17.1.
  2. Log Analysis: Ingest and monitor system logs from ROX II switches. Create detection rules to alert on the anomalous use of the xz command as described in the T1212 - Exploitation for Information Disclosure technique. A sample detection logic could be:
    title: Suspicious XZ Command for File Disclosure
    description: Detects the use of 'xz -f -c -d' which can be abused to read file contents, as seen in the Siemens ROX II vulnerability chain.
    logsource:
      product: linux
      service: auditd
    detection:
      selection:
        process.name: 'xz'
        process.command_line|contains_all:
          - '-f'
          - '-c'
          - '-d'
      condition: selection
    level: high
    
  3. File Integrity Monitoring (FIM): Deploy FIM on critical system files and directories, particularly those related to scheduled tasks, to detect unauthorized modifications indicative of T1543.003 - Create or Modify System Process: Systemd Timers.
  4. Network Monitoring: Implement Network Traffic Analysis (D3-NTA) to baseline normal traffic patterns from the switch's management interface. Alert on any deviations, such as connections to unusual ports or external IP addresses.

Mitigation

Immediate and long-term mitigation actions are crucial to defend against this threat.

  1. Patch Immediately: The primary mitigation is to update all affected Siemens RUGGEDCOM ROX II devices to firmware version V2.17.1 or later. This is the most effective way to eliminate the vulnerabilities. This corresponds to M1051 - Update Software.
  2. Restrict Network Access: As a compensating control, strictly limit network access to the device's management interface. Use firewalls or access control lists to ensure that only dedicated, trusted administrative workstations can communicate with the switch. This aligns with M1035 - Limit Access to Resource Over Network.
  3. Implement Network Segmentation: Employ robust Network Segmentation (D3-NI) to isolate the OT network from the IT network. This can help contain the impact of a compromised device and prevent lateral movement. This is a key principle of M1030 - Network Segmentation.
  4. Enforce Strong Credential Policies: While not a direct fix, ensuring strong, unique credentials for all network devices, including switches, makes initial access and lateral movement more difficult for attackers. This falls under M1026 - Privileged Account Management.

Timeline of Events

1
July 17, 2026
This article was published

MITRE ATT&CK Mitigations

Applying the firmware update (V2.17.1) from Siemens is the most direct and effective way to remediate all three vulnerabilities.

Mapped D3FEND Techniques:

Restricting access to the switch's management interface to a limited set of trusted administrative hosts reduces the attack surface.

Mapped D3FEND Techniques:

Properly segmenting the OT network from the IT network can contain the blast radius if a device is compromised, preventing lateral movement.

Mapped D3FEND Techniques:

Audit

M1047enterprise

Enable and collect detailed logs from network devices to detect anomalous activity, such as suspicious command execution or file access.

Mapped D3FEND Techniques:

Although this attack involves privilege escalation, adhering to the principle of least privilege for all accounts can limit an attacker's initial capabilities.

Mapped D3FEND Techniques:

D3FEND Defensive Countermeasures

The most critical action is to apply the security patch provided by Siemens. Organizations must immediately identify all Siemens RUGGEDCOM ROX II devices in their environment and update them to firmware version V2.17.1 or later. This action directly remediates the root cause of all three vulnerabilities (CVE-2025-40948, CVE-2025-40947, CVE-2025-40949). Develop a prioritized patching plan, starting with internet-facing or externally accessible switches, followed by those protecting the most critical industrial processes. Before deployment in a production OT environment, the firmware update should be tested in a lab or non-critical segment to ensure it does not negatively impact operations. Use asset inventory systems to track the patch status of all devices and verify successful deployment.

As a vital compensating control, implement strict inbound traffic filtering for the management interfaces of all ROX II switches. Configure network firewalls and access control lists (ACLs) to explicitly deny all traffic to the management ports (e.g., SSH, HTTPS) by default. Then, create explicit allow rules for only a small, well-defined set of trusted administrative jump boxes or management workstations. This 'default-deny' posture significantly reduces the attack surface by preventing unauthorized users from reaching the vulnerable interfaces, thus blocking the initial step of the exploit chain. This technique is especially critical for organizations that cannot immediately apply the firmware patch.

To detect potential exploitation attempts, security teams should implement process monitoring on the ROX II devices, if possible, or on systems that manage them. Specifically, create detection analytics to identify the anomalous execution of the xz command with the -f -c -d arguments. This is a high-fidelity indicator of an attempt to exploit CVE-2025-40948. An EDR solution or a host-based intrusion detection system (HIDS) capable of monitoring command-line arguments is ideal for this purpose. Establish a baseline of normal processes and command-line usage on these devices and alert on any deviations. If a suspicious process is detected, it should trigger an immediate incident response investigation to determine the scope of the potential compromise.

Sources & References

Three Steps to the Terminal: A Siemens ROX II Zero-Day Trilogy
Unit 42 (unit42.paloaltonetworks.com) July 16, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

ICSOTZero-DayVulnerabilitySiemensPrivilege EscalationPersistenceRCEFirmware

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.