Command Injection Vulnerability in RUGGEDCOM ROX Products by Siemens
CVE-2023-36754

9.1CRITICAL

Key Information:

Vendor: Siemens
Status: Ruggedcom Rox Mx5000; Ruggedcom Rox Mx5000re; Ruggedcom Rox Rx1400; Ruggedcom Rox Rx1500
Vendor: CVE Published:; 11 July 2023

What is CVE-2023-36754?

A significant command injection vulnerability exists in the web interface of RUGGEDCOM ROX devices due to inadequate input sanitization of the SCEP server configuration URL parameter. This flaw allows an authenticated privileged remote attacker to execute arbitrary commands with root privileges, compromising the security and integrity of the affected devices. Users should be aware of this risk and consider upgrading to version 2.16.0 or later to mitigate the issue effectively.

Affected Version(s)

RUGGEDCOM ROX MX5000 All versions < V2.16.0

RUGGEDCOM ROX MX5000RE All versions < V2.16.0

RUGGEDCOM ROX RX1400 All versions < V2.16.0

References

https://cert-portal.siemens.com/productcert/pdf/ssa-14632...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 11, 2023
Vulnerability Reserved
Jun 27, 2023