CISA flags 35 CVEs in Siemens Ruggedcom Rox below v2.17.1

CISA published ICS advisory ICSA-26-134-16 covering 35 third-party vulnerabilities in the Siemens Ruggedcom Rox firmware line, all versions before v2.17.1, across at least six hardware platforms: MX5000, MX5000RE, RX1400, RX1500, RX1501, and RX1510.

The CVE list is notable for its span. The oldest entries date to 2019 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, and a run of CVE-2019-141xx identifiers tied to U-Boot parsing flaws). The newest reach into 2025 (CVE-2025-49794, CVE-2025-49796, among others). That six-year range reflects a recurring ICS firmware pattern: third-party open-source components (bootloaders, networking libraries, language runtimes) accumulate CVEs faster than embedded device vendors push firmware updates, and operators in industrial environments are often slow to apply even available updates.

What to do

Siemens has released v2.17.1 for affected platforms. The remediation path is straightforward: update. If an immediate firmware update is operationally infeasible, Siemens' general ICS guidance on network segmentation and minimizing remote management exposure applies as interim risk reduction.

Who is affected

Ruggedcom Rox devices are ruggedized routers and network switches commonly deployed in electric utility substations, transportation infrastructure, and industrial control environments, sectors where patch cycles are measured in maintenance windows rather than weeks. Any critical infrastructure operator running Ruggedcom Rox hardware on firmware below v2.17.1 is affected.

No exploitation in the wild is noted in the advisory, but the age and public availability of several of the older CVEs means the exposure surface is well-documented externally.