Researchers chained three previously unknown flaws in Siemens Ruggedcom ROX II switches into a single attack that hands an intruder persistent root control of the industrial network gear. The Palo Alto Networks Unit 42 OT Threat Research Lab, working with Siemens ProductCERT, disclosed the trio, and Siemens has shipped fixes in firmware version V2.17.1.
ROX II runs on Ruggedcom switches that route traffic between critical assets like human machine interfaces and programmable logic controllers on factory floors and in power plants. A common assumption is that such devices are safe because they sit on isolated or air gapped networks, but the researchers show the switch itself is an attack surface an unprivileged attacker can turn against the network it protects.
Three steps to root
The exploit escalates from a quiet look around to total takeover. First, an arbitrary file disclosure bug (CVE-2025-40948, CVSS 6.8) abuses a root level xz utility to read any file on the device, exposing password hashes, private keys and configuration. Next, a critical command injection flaw (CVE-2025-40947, CVSS 7.5) in the feature key license check fails to sanitize attacker input before running it as root, delivering a reverse shell and full control. Finally, a task scheduler flaw (CVE-2025-40949, CVSS 9.1) lets an authenticated attacker inject commands into the device's root cron table, so the malicious code survives reboots.
Why it matters
An OT switch is meant to enforce segmentation and keep the network safe. Turned against its owner, it becomes a durable foothold for spying on or disrupting industrial operations, and cron based persistence makes the compromise hard to spot and remove. It lands the same month regulators flagged critical bugs in other industrial control gear from Rockwell and ABB, and follows a June round of command injection flaws in Siemens management servers.
What you should do
Siemens has published advisories SSA-973901, SSA-078743 and SSA-081142 and recommends updating affected ROX II devices to firmware V2.17.1. Where OT change windows delay patching, restrict access to the web management interface, watch for unusual task scheduler entries, and flag any use of the xz utility with the -f, -c and -d flags by the configuration daemon, a sign of the file disclosure step.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.