Command Injection Vulnerability in RUGGEDCOM ROX Devices by Siemens
CVE-2025-40949

8.9HIGH

Key Information:

Vendor: Siemens
Status: Ruggedcom Rox Mx5000; Ruggedcom Rox Mx5000re; Ruggedcom Rox Rx1400; Ruggedcom Rox Rx1500
Vendor: CVE Published:; 12 May 2026

What is CVE-2025-40949?

A command injection vulnerability has been discovered in the Scheduler functionality of the Web UI for various RUGGEDCOM ROX devices by Siemens. Due to improper sanitization of user-supplied input, an authenticated remote attacker could exploit this flaw to execute arbitrary commands with root privileges on the underlying operating system. To maintain the security and integrity of your systems, it is crucial to update to version V2.17.1 or later.

Affected Version(s)

RUGGEDCOM ROX MX5000 0

RUGGEDCOM ROX MX5000RE 0

RUGGEDCOM ROX RX1400 0

References

https://cert-portal.siemens.com/productcert/html/ssa-0811...

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 16, 2025

CVE-2025-40949 Data

JSON