RUGGEDCOM ROX RCE via Feature Key Installation (CVE-2025-40947)

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-78
RUGGEDCOM ROX RCE via Feature Key Installation (CVE-2025-40947)

A critical vulnerability, CVE-2025-40947, has been identified in multiple RUGGEDCOM ROX devices, including various models from the MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 series. The National Vulnerability Database reports that all versions prior to V2.17.1 are affected. This flaw stems from improper input sanitization during the feature key installation process.

This weakness allows an authenticated remote attacker to inject arbitrary commands. The result is remote code execution with root privileges on the underlying operating system. The National Vulnerability Database assigns this a CVSSv3 score of 7.5 (High), emphasizing the significant impact of full system compromise. The attack vector is network-based, but requires low privileges and high attack complexity, as detailed by the CVSS vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

For defenders, this is a severe issue. Gaining root access through an authenticated session on critical infrastructure hardware is a nightmare scenario. While authentication is required, internal attackers or compromised credentials could easily weaponize this. Patching these systems to V2.17.1 or later is non-negotiable. Furthermore, review access controls around feature key installation and monitor for anomalous activity related to administrative functions on these devices.

What This Means For You

  • If your organization utilizes RUGGEDCOM ROX devices, specifically any of the MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, or RX5000 series running versions prior to V2.17.1, you are exposed to remote code execution with root privileges. Prioritize patching these systems to V2.17.1 or newer immediately. Audit logs for any unusual feature key installations or administrative access.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1204.002 Malicious File: Known Exploited Vulnerability Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

RUGGEDCOM ROX Feature Key Installation Command Injection - CVE-2025-40947

Sigma YAML — free preview 
title: RUGGEDCOM ROX Feature Key Installation Command Injection - CVE-2025-40947
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
  This rule detects the exploitation of CVE-2025-40947 by identifying the execution of shell commands (sh, bash, zsh) that contain keywords related to feature key installation ('feature_key', 'install') and also contain command injection characters (';', '&&', '||'). This indicates an attempt to inject arbitrary commands during the feature key installation process on affected RUGGEDCOM ROX devices.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2025-40947/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'sh'
          - 'bash'
          - 'zsh'
      CommandLine|contains:
          - 'feature_key'
          - 'install'
      CommandLine|contains:
          - ';'
          - '&&'
          - '||'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2025-40947 RCE RUGGEDCOM ROX MX5000 (All versions < V2.17.1)
CVE-2025-40947 RCE RUGGEDCOM ROX MX5000RE (All versions < V2.17.1)
CVE-2025-40947 RCE RUGGEDCOM ROX RX1400 (All versions < V2.17.1)
CVE-2025-40947 RCE RUGGEDCOM ROX RX1500 (All versions < V2.17.1)
CVE-2025-40947 Command Injection User-supplied input during feature key installation process

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 13:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-45218: WP Travel Blind SQL Injection Puts User Data at Risk

CVE-2026-45218 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /7.7 /⚑ 4 IOCs /⚙ 6 Sigma

CVE-2026-45215 — Saad Iqbal WP EasyPay Wp-Easy-Pay Vulnerability

CVE-2026-45215 — Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay:...

vulnerabilityCVEmedium-severitycwe-201
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

Xpro Elementor Addons SQL Injection (CVE-2026-45214) Poses High Risk

CVE-2026-45214 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.5 /⚑ 4 IOCs /⚙ 3 Sigma