Command Injection Vulnerability in RUGGEDCOM ROX Products by Siemens
CVE-2023-36755

9.1CRITICAL

Key Information:

Vendor: Siemens
Status: Ruggedcom Rox Mx5000; Ruggedcom Rox Mx5000re; Ruggedcom Rox Rx1400; Ruggedcom Rox Rx1500
Vendor: CVE Published:; 11 July 2023

What is CVE-2023-36755?

A command injection vulnerability exists in the SCEP CA Certificate Name parameter of the web interface on multiple RUGGEDCOM ROX devices prior to version 2.16.0. This flaw arises due to inadequate server-side input validation, allowing an authenticated user with privileged access to execute arbitrary commands with root permissions. Attackers could exploit this vulnerability to gain control of affected devices, posing significant security risks within network environments.

Affected Version(s)

RUGGEDCOM ROX MX5000 All versions < V2.16.0

RUGGEDCOM ROX MX5000RE All versions < V2.16.0

RUGGEDCOM ROX RX1400 All versions < V2.16.0

References

https://cert-portal.siemens.com/productcert/pdf/ssa-14632...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 11, 2023
Vulnerability Reserved
Jun 27, 2023