Siemens has issued an advisory regarding three critical zero-day vulnerabilities (CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949) affecting its ROX II operational technology (OT) switches. These vulnerabilities could allow attackers to gain full privilege escalation and persistent root-level access, posing significant risks to industrial control networks. Users are urged to update their devices to firmware version V2.17.1 to mitigate these vulnerabilities. For detailed information, refer to the Palo Alto Networks advisory.
What the Advisory Covers
This advisory details a chained exploit involving three vulnerabilities that can lead to complete system compromise of Siemens ROX II switches. The vulnerabilities are:
- CVE-2025-40948: Arbitrary file disclosure due to insecure configuration of the xz utility.
- CVE-2025-40947: Privilege escalation via command injection in the feature key validation function.
- CVE-2025-40949: Persistent root code execution through the web management task scheduler.
Affected Products and Versions
The vulnerabilities affect the following:
- Siemens ROX II switches running firmware versions prior to V2.17.1.
Severity and Exploitation Status
The vulnerabilities have been assigned the following CVSS 3.1 scores:
- CVE-2025-40948: 6.8
- CVE-2025-40947: 7.5
- CVE-2025-40949: 9.1
Successful exploitation could lead to full control over the affected devices, making them platforms for malicious activities.
Available Patches or Fixed Versions
Siemens recommends updating affected ROX II devices to firmware version V2.17.1 to mitigate these vulnerabilities. Security advisories SSA-973901, SSA-078743, and SSA-081142 provide further details on the vulnerabilities and the patching process.
Recommended Actions
Organizations using Siemens ROX II switches should take the following actions:
- Update to firmware version V2.17.1 immediately.
- Review security configurations to ensure that no insecure settings are in place.
- Monitor for unusual behavior in system task scheduler entries and the use of the xz utility.
Indicators of Behavior
Defensive teams should be aware of the following indicators that may suggest exploitation:
- Unusual task scheduler entries, characterized by unexpected scripts or commands.
- Abnormal use of the xz utility with parameters -f, -c, and -d, indicating attempts to read restricted files.
For further assistance or if you suspect a compromise, contact the Unit 42 Incident Response team.


