🚨 BREAKING

CVE-2025-40949: Critical RUGGEDCOM ROX Command Injection

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-78
CVE-2025-40949: Critical RUGGEDCOM ROX Command Injection

The National Vulnerability Database has disclosed CVE-2025-40949, a critical command injection vulnerability affecting multiple Siemens RUGGEDCOM ROX devices. This flaw, rated 9.1 CVSS, resides in the Web UI’s Scheduler functionality, where user-supplied input is not properly sanitized.

This oversight allows an authenticated remote attacker to inject commands into the task scheduling backend. The critical impact here is arbitrary command execution with root privileges on the underlying operating system. This is a complete system compromise, enabling full control over the affected industrial network device.

Impacted products include RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000. All versions prior to V2.17.1 are vulnerable. Given these devices’ common deployment in critical infrastructure and industrial control systems, this vulnerability presents a severe operational technology (OT) risk.

What This Means For You

  • If your organization deploys any Siemens RUGGEDCOM ROX devices listed, you must immediately verify their firmware versions. Any device running a version prior to V2.17.1 is critically vulnerable to CVE-2025-40949. Patching is not optional; it's a priority to prevent root-level compromise by an authenticated attacker. Audit logs for any suspicious scheduler activity or unauthorized command execution on these devices.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1204.002 Malicious File Execution: User Execution Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.004 Execution

CVE-2025-40949: RUGGEDCOM ROX Scheduler Command Injection via Web UI

Sigma YAML — free preview 
title: CVE-2025-40949: RUGGEDCOM ROX Scheduler Command Injection via Web UI
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2025-40949 by targeting the scheduler functionality in the RUGGEDCOM ROX Web UI. The rule looks for specific URI paths and query parameters commonly used in command injection attacks against this vulnerability, aiming to identify the execution of arbitrary commands.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2025-40949/
tags:
  - attack.execution
  - attack.t1059.004
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/cgi-bin/webif/scheduler.sh'
      cs-uri-query|contains:
          - 'cmd=' 
          - 'task='
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2025-40949 Command Injection RUGGEDCOM ROX MX5000 (All versions < V2.17.1)
CVE-2025-40949 Command Injection RUGGEDCOM ROX MX5000RE (All versions < V2.17.1)
CVE-2025-40949 Command Injection RUGGEDCOM ROX RX1400 (All versions < V2.17.1)
CVE-2025-40949 Command Injection RUGGEDCOM ROX RX1500 (All versions < V2.17.1)
CVE-2025-40949 Command Injection Vulnerable component: Scheduler functionality in Web UI

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 13:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-45218: WP Travel Blind SQL Injection Puts User Data at Risk

CVE-2026-45218 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /7.7 /⚑ 4 IOCs /⚙ 6 Sigma

CVE-2026-45215 — Saad Iqbal WP EasyPay Wp-Easy-Pay Vulnerability

CVE-2026-45215 — Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay:...

vulnerabilityCVEmedium-severitycwe-201
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

Xpro Elementor Addons SQL Injection (CVE-2026-45214) Poses High Risk

CVE-2026-45214 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.5 /⚑ 4 IOCs /⚙ 3 Sigma