
Unit 42 details Siemens ROX II zero-day chain that can give attackers persistent root access
Unit 42 says three Siemens Ruggedcom ROX II flaws can be chained for persistent root access on OT switches.
Palo Alto Networks Unit 42 has published technical research on three chained zero-day vulnerabilities in Siemens Ruggedcom ROX II operational technology switches, describing a path from file disclosure to persistent root-level control of devices used inside industrial networks.
The July 17 report says the flaws were found through a partnership between Unit 42's OT Threat Research Lab and Siemens ProductCERT. The affected Ruggedcom ROX II family is used as switching infrastructure in environments such as factories, power plants and other industrial sites, where network devices often sit between human-machine interfaces, programmable logic controllers and other operational assets.
What the chain does
Unit 42 identifies the three issues as CVE-2025-40948, CVE-2025-40947 and CVE-2025-40949. The first can let an authenticated attacker read arbitrary files from the switch's underlying file system with root privileges. That step could expose configuration data, password hashes, private keys or other information useful for follow-on activity.
The second flaw is a command injection issue in the feature key installation process. According to the research, a maliciously crafted feature key can cause attacker-controlled commands to run as root. The third issue involves the web management task scheduler and can be used after access is gained to place commands into the system's root scheduling flow, allowing persistent code execution that can survive reboots.
- CVE-2025-40948 is rated 6.8 under CVSS 3.1.
- CVE-2025-40947 is rated 7.5 under CVSS 3.1.
- CVE-2025-40949 is rated 9.1 under CVSS 3.1.
Why it matters
The findings are significant because OT switches are often treated as supporting infrastructure rather than primary targets. In practice, compromising one can give an attacker a privileged position inside an industrial network, with options to observe traffic, disrupt segmentation, interfere with availability or maintain a foothold close to sensitive control systems.
Unit 42 says Siemens released advisories for the vulnerabilities and recommends affected customers update Ruggedcom ROX II devices to firmware version V2.17.1. The report also urges defense-in-depth measures for industrial environments, including compensating controls where firmware testing and deployment windows make immediate patching difficult.
The research does not claim that the vulnerabilities are being exploited in the wild. Its importance is the coordinated disclosure of a complete exploit chain against equipment that can sit near critical operational processes. For defenders, the immediate priority is inventory: confirm whether Ruggedcom ROX II systems are present, check firmware versions, restrict management access, and schedule updates with normal OT change-control procedures.
Sources
Cover photo by Brett Sayles on Pexels, used under the Pexels License.
CyberOGZ Team






Comments (0)
Leave a Comment