Siemens ROX II Switches Vulnerable: Update to Firmware V2.17.1 to Mitigate CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949 Exploits

Published:

spot_img

Siemens has issued an advisory regarding three critical zero-day vulnerabilities (CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949) affecting its ROX II operational technology (OT) switches. These vulnerabilities could allow attackers to gain full privilege escalation and persistent root-level access, posing significant risks to industrial control networks. Users are urged to update their devices to firmware version V2.17.1 to mitigate these vulnerabilities. For detailed information, refer to the Palo Alto Networks advisory.

What the Advisory Covers

This advisory details a chained exploit involving three vulnerabilities that can lead to complete system compromise of Siemens ROX II switches. The vulnerabilities are:

  • CVE-2025-40948: Arbitrary file disclosure due to insecure configuration of the xz utility.
  • CVE-2025-40947: Privilege escalation via command injection in the feature key validation function.
  • CVE-2025-40949: Persistent root code execution through the web management task scheduler.

Affected Products and Versions

The vulnerabilities affect the following:

  • Siemens ROX II switches running firmware versions prior to V2.17.1.

Severity and Exploitation Status

The vulnerabilities have been assigned the following CVSS 3.1 scores:

  • CVE-2025-40948: 6.8
  • CVE-2025-40947: 7.5
  • CVE-2025-40949: 9.1

Successful exploitation could lead to full control over the affected devices, making them platforms for malicious activities.

Available Patches or Fixed Versions

Siemens recommends updating affected ROX II devices to firmware version V2.17.1 to mitigate these vulnerabilities. Security advisories SSA-973901, SSA-078743, and SSA-081142 provide further details on the vulnerabilities and the patching process.

Recommended Actions

Organizations using Siemens ROX II switches should take the following actions:

  • Update to firmware version V2.17.1 immediately.
  • Review security configurations to ensure that no insecure settings are in place.
  • Monitor for unusual behavior in system task scheduler entries and the use of the xz utility.

Indicators of Behavior

Defensive teams should be aware of the following indicators that may suggest exploitation:

  • Unusual task scheduler entries, characterized by unexpected scripts or commands.
  • Abnormal use of the xz utility with parameters -f, -c, and -d, indicating attempts to read restricted files.

For further assistance or if you suspect a compromise, contact the Unit 42 Incident Response team.

spot_img

Related articles

Recent articles

NSU Launches Cybersecurity Center to Enhance Research and Workforce Development in Bangladesh

North South University (NSU) has inaugurated its Cybersecurity Center to advance research, develop skilled professionals, and strengthen Bangladesh's resilience against emerging cyber threats. This...

UK Regulator Launches Investigation into TikTok Age Verification Amid Strengthened Child Safety Measures

UK Regulator Launches Investigation into TikTok Age Verification Amid Strengthened Child Safety Measures The UK's communications regulator, Ofcom, has initiated a formal investigation into TikTok's...

Legacy Systems, Real-World Risks: Navigating the Challenges of OT Security

Legacy Systems, Real-World Risks: Navigating the Challenges of OT Security Operational Technology (OT) security presents unique challenges that differ significantly from traditional Information Technology (IT)...

Sophos Launches Sophos Fusion: The Complete AI-Native Cybersecurity Defense System for the AI Era

Sophos Launches Sophos Fusion: The Complete AI-Native Cybersecurity Defense System for the AI Era Sophos has unveiled Sophos Fusion, a comprehensive AI-native cybersecurity defense system...