Siemens Ruggedcom Rox Scheduler flaw enables root-level RCE

The flaw sits in the Scheduler functionality of the Ruggedcom Rox Web UI: user-supplied input is not properly sanitized before being passed to the task scheduling backend, making OS command injection straightforward for any attacker who holds valid credentials. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) reflects that network access is remote, complexity is low, and the scope is changed, meaning a successful exploit reaches beyond the web application itself to the underlying operating system with root privileges.

Eleven product lines are affected: RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000, all running firmware below V2.17.1. These are industrial routers and network management devices commonly deployed in utility, energy, and critical manufacturing environments worldwide.

Siemens has shipped V2.17.1 as the fix. The patch is available via the Siemens Industry support portal (support.industry.siemens.com, document 110002017). Siemens ProductCERT reported the vulnerability to CISA after receiving it from Emmanuel Zhou, Rick Wyble, Mehmet Balta, and Adam Robbie of the Palo Alto Networks OT Threat Research Lab.

The PR:H requirement means the attacker needs existing credentials, which limits opportunistic exploitation but does not reduce urgency for environments where shared or default credentials are common practice. Update to V2.17.1 and audit Scheduler job configurations for any unexpected entries.