OT cybersecurity case study: Flaws found and fixed in widely used industrial network devices
What you’ll learn:
- Much of the security of these networks depends on the integrity of vendor-supplied products.
- When a widely used device such as Siemens’ RuggedCom ROXOS II is compromised, the impact can ripple across critical infrastructure sectors.
- These findings are a reminder that built-in diagnostic tools can become dangerous entry points when paired with weak input validation.
Industrial networks are engineered for resilience—but that doesn’t mean they’re immune to serious vulnerabilities. In fact, they are often plagued by security gaps due to vendor constraints, financial limitations, "legacy" technologies, and operational demands that prioritize uptime over cybersecurity.
Much of the security of these networks depends on the integrity of vendor-supplied products, making supply chain weaknesses a growing concern.
See also: Zero-trust cybersecurity for increasingly interconnected OT
When a widely used device such as Siemens’ RuggedCom ROXOS II is compromised, the impact can ripple across critical infrastructure sectors that rely on the devices to function securely. (However, the company said in a statement that it was not aware of any real-world exploitations.)
While conducting a penetration test for a client in early 2025, our team at RMC Global discovered a pair of vulnerabilities affecting Siemens RuggedCom ROXOS II devices—commonly used in harsh environments to support critical infrastructure communications.
These flaws, if exploited together, could allow an attacker to achieve root access on the device and execute arbitrary commands, achieving remote code execution.
Editor’s Note:
After this article was given to Smart Industry, we felt outreach to Siemens was necessary about the flaws in and the patches to their industrial network devices. This is the company’s statement:
“As a trusted partner in critical infrastructure protection, Siemens proactively addresses evolving cybersecurity challenges through collaborative security practices. On this occasion, Siemens thanks RMC Global for reporting a vulnerability in our RuggedCom ROX II product family and for adhering to a coordinated disclosure process that included the U.S. Cybersecurity and Infrastructure Security Agency.
“Siemens has promptly provided a fix with the release of new versions for the affected products and recommends that users update to the latest versions. The identified vulnerability requires pre-existing, highly privileged network access, preventing external exploitation attempts. We are not aware of any real-world exploitation and continue monitoring for any potential impact.”
Devices such as these provide carrier-grade routing and switching in harsh environments, supporting applications like edge computing and industrial cybersecurity. They enable reliable network performance through features like fault recovery, support for various routing protocols, and the configuration of network devices.
See also: How agentic AI can be a 'force multiplier' in IT and OT cybersecurity
We outline here the technical discovery and the coordinated disclosure process with Siemens and the U.S. Cybersecurity and Infrastructure Security Agency and what security leaders need to know.
The devices at risk
The Siemens RuggedCom line is widely used in manufacturing, utilities, and transportation sectors. The vulnerabilities impacted all RuggedCom ROXOS II devices running versions earlier than 2.16.5, including models such as RX1400, RX1500, RX1510, RX1536, MX5000, MX5000RE, RX5000 series and others.
See also: New report sees surge in OT cybersecurity awareness among manufacturers
These devices are hardened for industrial use but, as we uncovered, included web user interface features that lacked proper input sanitization—opening the door to deeper exploitation.
The “exploit chain”: From file upload to root shell
Two common vulnerabilities and exposures, or CVEs, were involved in the exploit chain:
- CVE-2025-33023-Arbitrary File Upload (CVSS v3.1 4.1): The RuggedCom web interface allowed admin users to upload configuration files through the “Install Files” feature. However, there were no file validation checks, meaning attackers could upload files with any extension or content, including malicious scripts.
- CVE-2025-33024-Remote Code Execution (CVSS v3.1 9.9): Using the file upload, our team was able to abuse a built-in diagnostic tool—tcpdump—to execute a reverse shell. By targeting the -z post-rotation flag, we directed the tool to execute a script hidden within a specially crafted .pcap file.
Together, these flaws created a “privilege escalation scenario” from authenticated web access to full root shell on the underlying Linux OS.
Building the payload
We created a malicious .pcap file using an adapted script from the infosec community (credit to MadHatHacker), embedding a base64-encoded Python reverse shell. After uploading the .pcap file via the web UI, we modified a web request to run tcpdump with the -z flag pointed to our payload. This resulted in a successful remote code execution.
The final command gave us unrestricted access to the device’s file system, processes, and configuration—a worst-case scenario for any industrial environment.
Disclosure, patch, and prevention
We reported the findings to Siemens on March 19, 2025, and worked with their ProductCERT team.
Siemens issued an initial advisory (SSA-301229) and released a patch on May 13, 2025, for the remote code execution vulnerability. A second patch addressing the file upload issue occurred in June, followed by full public disclosure.
We appreciate Siemens' quick and professional response and coordination with CISA (advisory ICSA-25-135-17).
Lessons for OT security leaders
These findings are a reminder that built-in diagnostic tools can become dangerous entry points when paired with weak input validation. OT systems must be continuously assessed—not just for perimeter defenses, but for internal misconfigurations, default settings, and overlooked features that can be chained together in unanticipated ways.
Q&A: Could a software vendor be on the hook if your company's systems get hacked?
In this case, while the exploit requires authentication, the use of weak or default credentials remains a common risk factor found on many RMC assessments, particularly in OT environments. Strengthening password hygiene and changing vendor defaults are essential first steps.
Network segmentation and other compensating controls also play a critical role—especially for devices that may be inherently insecure by design. Even when a device is deployed in a ruggedized or hardened environment, assumptions about trust boundaries can lead to exploitable gaps if layered defenses aren't enforced.
Key takeaways:
- Restrict administrative web access to secured internal networks.
- Harden web interfaces and verify input validation mechanisms.
- Enforce strong password practices and eliminate default credentials.
- Segment networks and apply layered access controls to limit attacker movement.
- Regularly apply vendor patches and monitor for ICS advisories.
- Consider third-party penetration testing for OT environments.
Recent advisories from CISA further underscore how frequently vulnerabilities are identified across industrial control devices, including Siemens’ broader RuggedCom and SCALANCE product lines.
Whether the threat is tied to improper privilege checks, cross-site scripting, or file upload paths, the message is clear: Securing OT infrastructure demands continuous review, even of trusted diagnostic tools and interfaces.
Staying ahead of industrial threats
As OT and IT continue to converge, vulnerabilities like these will become more prevalent, especially as attackers look for novel paths into hardened industrial networks. Keeping pace with these threats requires not just finding vulnerabilities but taking steps to remediate them before they’re exploited in the wild.
Podcast: Why IT and OT remain out of sync and how manufacturers can bridge that gap
For manufacturers, utilities, and operators using RuggedCom ROXOS II devices, patching to version 2.16.5+ is essential. More broadly, it’s a wake-up call to revisit the security of “legacy” tools and overlooked features inside your operational stack.
For a more technical breakdown of the exploit chain, including disclosure timeline, attack steps, and remediation details, visit our full blog post.
About the Author
Trae Mazza
Trae Mazza is a senior security engineer at RMC Global, where he specializes in offensive security with a focus on embedded device assessments. He has over eight years of experience conducting, leading, and managing penetration testing, security compliance, and red team assessments across IT and OT environments for Fortune 500 companies in electric and gas utilities, telecommunications, IoT, and robotics.