SSA-094954

Siemens Security Advisory by Siemens ProductCERT

SSA-094954: Authentication Bypass Vulnerability in BIST mode of RUGGEDCOM ROX II

Publication Date:	2025-08-12
Last Update:	2025-08-12
Current Version:	V1.0
CVSS v3.1 Base Score:	7.6
CVSS v4.0 Base Score:	8.6

SUMMARY

RUGGEDCOM ROX II devices do not properly limit access through their Built-In-Self-Test (BIST) mode. This could allow a local attacker to bypass authentication and access a root shell on the device.

Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.

KNOWN AFFECTED PRODUCTS

Un-/Collapse All

Affected Product and Versions	Remediation
RUGGEDCOM ROX II family	Show more details
RUGGEDCOM ROX MX5000 All versions affected by CVE-2025-40761	Currently no fix is available Ensure a secure boot password is set as described in the configuration manual to prevent unauthorized access to BIST mode. See https://support.industry.siemens.com/cs/document/109983832/ Sec. 5.9.3 for more details
RUGGEDCOM ROX MX5000RE All versions affected by CVE-2025-40761	Currently no fix is available Ensure a secure boot password is set as described in the configuration manual to prevent unauthorized access to BIST mode. See https://support.industry.siemens.com/cs/document/109983832/ Sec. 5.9.3 for more details
RUGGEDCOM ROX RX1400 All versions affected by CVE-2025-40761	Currently no fix is available Ensure a secure boot password is set as described in the configuration manual to prevent unauthorized access to BIST mode. See https://support.industry.siemens.com/cs/document/109983826/ Sec. 5.9.3 for more details
RUGGEDCOM ROX RX1500 All versions affected by CVE-2025-40761	Currently no fix is available Ensure a secure boot password is set as described in the configuration manual to prevent unauthorized access to BIST mode. See https://support.industry.siemens.com/cs/document/109983829/ Sec. 5.9.3 for more details
RUGGEDCOM ROX RX1501 All versions affected by CVE-2025-40761	Currently no fix is available Ensure a secure boot password is set as described in the configuration manual to prevent unauthorized access to BIST mode. See https://support.industry.siemens.com/cs/document/109983829/ Sec. 5.9.3 for more details
RUGGEDCOM ROX RX1510 All versions affected by CVE-2025-40761	Currently no fix is available Ensure a secure boot password is set as described in the configuration manual to prevent unauthorized access to BIST mode. See https://support.industry.siemens.com/cs/document/109983829/ Sec. 5.9.3 for more details
RUGGEDCOM ROX RX1511 All versions affected by CVE-2025-40761	Currently no fix is available Ensure a secure boot password is set as described in the configuration manual to prevent unauthorized access to BIST mode. See https://support.industry.siemens.com/cs/document/109983829/ Sec. 5.9.3 for more details
RUGGEDCOM ROX RX1512 All versions affected by CVE-2025-40761	Currently no fix is available Ensure a secure boot password is set as described in the configuration manual to prevent unauthorized access to BIST mode. See https://support.industry.siemens.com/cs/document/109983829/ Sec. 5.9.3 for more details
RUGGEDCOM ROX RX1524 All versions affected by CVE-2025-40761	Currently no fix is available Ensure a secure boot password is set as described in the configuration manual to prevent unauthorized access to BIST mode. See https://support.industry.siemens.com/cs/document/109983829/ Sec. 5.9.3 for more details
RUGGEDCOM ROX RX1536 All versions affected by CVE-2025-40761	Currently no fix is available Ensure a secure boot password is set as described in the configuration manual to prevent unauthorized access to BIST mode. See https://support.industry.siemens.com/cs/document/109983829/ Sec. 5.9.3 for more details
RUGGEDCOM ROX RX5000 All versions affected by CVE-2025-40761	Currently no fix is available Ensure a secure boot password is set as described in the configuration manual to prevent unauthorized access to BIST mode. See https://support.industry.siemens.com/cs/document/109983832/ Sec. 5.9.3 for more details

WORKAROUNDS AND MITIGATIONS

Product-specific remediations or mitigations can be found in the section Known Affected Products.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION

ROX-based VPN endpoints and firewall devices are used to connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets.

RUGGEDCOM Ethernet switches are used to operate reliably in electrical harsh and climatically demanding environments such as electric utility substations and traffic control cabinets.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2025-40761

Affected devices do not properly limit access through its Built-In-Self-Test (BIST) mode. This could allow an attacker with physical access to the serial interface to bypass authentication and get access to a root shell on the device.

CVSS v3.1 Base Score	7.6
CVSS v3.1 Vector	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS v4.0 Base Score	8.6
CVSS v4.0 Vector	CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE	CWE-288: Authentication Bypass Using an Alternate Path or Channel

ACKNOWLEDGMENTS

Siemens thanks the following party for its efforts:

Trae Mazza from RMC Global for coordinated disclosure

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2025-08-12):

Publication Date

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.