Command Injection Vulnerability in RUGGEDCOM ROX Devices by Siemens
CVE-2023-36750

9.1CRITICAL

Key Information:

Vendor: Siemens
Status: Ruggedcom Rox Mx5000; Ruggedcom Rox Mx5000re; Ruggedcom Rox Rx1400; Ruggedcom Rox Rx1500
Vendor: CVE Published:; 11 July 2023

Summary

A command injection vulnerability has been detected in the web interface of RUGGEDCOM ROX devices produced by Siemens. This issue affects all versions prior to V2.16.0 across various models. The vulnerability stems from the software-upgrade URL parameter, which lacks proper server-side input sanitization. An authenticated attacker with elevated privileges could exploit this weakness to execute arbitrary commands with root capabilities, potentially compromising the integrity and security of the affected systems.

Affected Version(s)

RUGGEDCOM ROX MX5000 All versions < V2.16.0

RUGGEDCOM ROX MX5000RE All versions < V2.16.0

RUGGEDCOM ROX RX1400 All versions < V2.16.0

References

https://cert-portal.siemens.com/productcert/pdf/ssa-14632...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 11, 2023
Vulnerability Reserved
Jun 27, 2023