Skip to main content
Emerging Threats

Siemens ROX II Zero-Days Expose Critical Infrastructure Risks

Industrial control equipment and network switch on a rack in a brightly-lit control room.

"We conducted this research in close partnership with Siemens, reflecting our shared commitment to advancing the security and resilience of critical infrastructure." — Palo Alto Networks OT Threat Research Lab and Siemens ProductCERT

Three chained zero-days: what was found

Palo Alto Networks’ OT Threat Research Lab, working with Siemens ProductCERT, disclosed a chained exploit made up of three zero-day vulnerabilities in Siemens ROX II operational-technology switches: CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949. Collectively the flaws permit an attacker to move from reconnaissance to full root-level persistence on the device. The individual CVSS 3.1 scores are 6.8 for CVE-2025-40948, 7.5 for CVE-2025-40947, and 9.1 for CVE-2025-40949.

Stage one — CVE-2025-40948: arbitrary file disclosure via xz

The first vulnerability exploits an insecure configuration of the xz utility as invoked by a root-privileged management daemon. xz, when called with the parameters -f, -c and -d, can be used to print file contents similar to cat. The privileged daemon accepts user-supplied parameters and executes xz as root, allowing an attacker to request arbitrary file paths and read any file on the switch file system. As reported, this can expose password hashes, private cryptographic keys, and configuration data useful for follow-on attacks.

Stage two — CVE-2025-40947: feature-key signature command injection

The pivotal escalation arises in the ROX II feature key installation path. Feature keys are cryptographically signed licenses verified on the device using a pre-installed public key. Palo Alto Networks and Siemens reverse-engineered the feature-key handling library and identified a signature verification function that reads a signature line into a fixed-size buffer, inserts the parsed string directly into a gpgv command, then executes it with system() as root. Because there is no input sanitization, an attacker who can control the signature field within size limits can inject commands — for example to execute an uploaded reverse shell — and obtain a root shell on the device.

Stage three — CVE-2025-40949: persistent root via task scheduler

After gaining root, the researchers found CVE-2025-40949 in the device’s web management task scheduler. The scheduler’s configuration fields accept user input that is not properly sanitized; an authenticated attacker can inject control characters and commands that are written into the system task configuration and executed with root privileges. By uploading a payload to the file system and then creating a specially crafted scheduled task, an attacker can cause the scheduler to run the payload on a recurring basis, achieving persistence that survives reboots.

Mitigations: firmware, virtual patching, and incident contact

Siemens has published security advisories SSA-973901, SSA-078743 and SSA-081142 and recommends updating affected ROX II devices to firmware version V2.17.1. Palo Alto Networks notes compensating controls to reduce exposure while organizations test and deploy firmware updates: virtual patching via Next-Generation Firewall with the Advanced Threat Prevention subscription (signatures 97246, 97250, 97249) and OT Device Security for inline protection and visibility. The report also provides system behavior indicators to hunt for compromise, including unusual task scheduler entries and abnormal use of xz with -f, -c and -d executed by the privileged daemon.

What this means for technologists, procurement leaders, and incident responders

  • Technologists and security teams: prioritize firmware upgrades to V2.17.1 and deploy the ATP detection signatures as interim virtual patches; monitor for the listed indicators such as unexpected scheduler entries and xz invocations.
  • Procurement and asset owners: identify ROX II devices in their inventory and plan controlled patching windows, since the vendor advisories are the recommended long-term remediation.
  • Incident response teams: engage Unit 42 Incident Response if compromise is suspected; Unit 42 contact options and regional numbers are provided in the advisory and the report encourages immediate outreach for urgent matters.

The disclosure underlines a practical lesson: OT switches designed to enforce segmentation can become attack platforms if software primitives are exposed to insecure input handling. Palo Alto Networks and Siemens coordinated discovery, validation and remediation, and Palo Alto Networks shared the findings with Cyber Threat Alliance members to accelerate protections. The concrete mitigations are clear — firmware V2.17.1 from Siemens and the specified virtual-patching signatures — but organizations operating ROX II devices will need to balance testing and uptime constraints against the risk of these chained exploits.

https://unit42.paloaltonetworks.com/siemens-rox-ii-zero-day-vulnerabilities/