OT cybersecurity case study: Flaws found and fixed in widely used industrial network devices

Two hidden gaps in Siemens’ RuggedCom ROXOS II, discovered and patched this spring, risked exposing critical infrastructure—like those in manufacturing and the power, transportation, oil and gas industries—to infiltration by bad actors. But Siemens acted swiftly and reports no real-world exploitations.
Oct. 1, 2025
5 min read

What you’ll learn:

  • Much of the security of these networks depends on the integrity of vendor-supplied products.
  • When a widely used device such as Siemens’ RuggedCom ROXOS II is compromised, the impact can ripple across critical infrastructure sectors.
  • These findings are a reminder that built-in diagnostic tools can become dangerous entry points when paired with weak input validation.

Industrial networks are engineered for resilience—but that doesn’t mean they’re immune to serious vulnerabilities. In fact, they are often plagued by security gaps due to vendor constraints, financial limitations, "legacy" technologies, and operational demands that prioritize uptime over cybersecurity.

Much of the security of these networks depends on the integrity of vendor-supplied products, making supply chain weaknesses a growing concern.

See also: Zero-trust cybersecurity for increasingly interconnected OT

When a widely used device such as Siemens’ RuggedCom ROXOS II is compromised, the impact can ripple across critical infrastructure sectors that rely on the devices to function securely. (However, the company said in a statement that it was not aware of any real-world exploitations.)

While conducting a penetration test for a client in early 2025, our team at RMC Global discovered a pair of vulnerabilities affecting Siemens RuggedCom ROXOS II devices—commonly used in harsh environments to support critical infrastructure communications.

These flaws, if exploited together, could allow an attacker to achieve root access on the device and execute arbitrary commands, achieving remote code execution.

Disclosure, patch, and prevention

We reported the findings to Siemens on March 19, 2025, and worked with their ProductCERT team.

Siemens issued an initial advisory (SSA-301229) and released a patch on May 13, 2025, for the remote code execution vulnerability. A second patch addressing the file upload issue occurred in June, followed by full public disclosure.

We appreciate Siemens' quick and professional response and coordination with CISA (advisory ICSA-25-135-17).

Lessons for OT security leaders

These findings are a reminder that built-in diagnostic tools can become dangerous entry points when paired with weak input validation. OT systems must be continuously assessed—not just for perimeter defenses, but for internal misconfigurations, default settings, and overlooked features that can be chained together in unanticipated ways.

Q&A: Could a software vendor be on the hook if your company's systems get hacked?

In this case, while the exploit requires authentication, the use of weak or default credentials remains a common risk factor found on many RMC assessments, particularly in OT environments. Strengthening password hygiene and changing vendor defaults are essential first steps.

Network segmentation and other compensating controls also play a critical role—especially for devices that may be inherently insecure by design. Even when a device is deployed in a ruggedized or hardened environment, assumptions about trust boundaries can lead to exploitable gaps if layered defenses aren't enforced.

Key takeaways:

  • Restrict administrative web access to secured internal networks.
  • Harden web interfaces and verify input validation mechanisms.
  • Enforce strong password practices and eliminate default credentials.
  • Segment networks and apply layered access controls to limit attacker movement.
  • Regularly apply vendor patches and monitor for ICS advisories.
  • Consider third-party penetration testing for OT environments.

Recent advisories from CISA further underscore how frequently vulnerabilities are identified across industrial control devices, including Siemens’ broader RuggedCom and SCALANCE product lines.

Whether the threat is tied to improper privilege checks, cross-site scripting, or file upload paths, the message is clear: Securing OT infrastructure demands continuous review, even of trusted diagnostic tools and interfaces.

Staying ahead of industrial threats

As OT and IT continue to converge, vulnerabilities like these will become more prevalent, especially as attackers look for novel paths into hardened industrial networks. Keeping pace with these threats requires not just finding vulnerabilities but taking steps to remediate them before they’re exploited in the wild.

Podcast: Why IT and OT remain out of sync and how manufacturers can bridge that gap

For manufacturers, utilities, and operators using RuggedCom ROXOS II devices, patching to version 2.16.5+ is essential. More broadly, it’s a wake-up call to revisit the security of “legacy” tools and overlooked features inside your operational stack.

For a more technical breakdown of the exploit chain, including disclosure timeline, attack steps, and remediation details, visit our full blog post.

About the Author

Trae Mazza

Trae Mazza

Trae Mazza is a senior security engineer at RMC Global, where he specializes in offensive security with a focus on embedded device assessments. He has over eight years of experience conducting, leading, and managing penetration testing, security compliance, and red team assessments across IT and OT environments for Fortune 500 companies in electric and gas utilities, telecommunications, IoT, and robotics.

Sign up for Smart Industry Newsletters
Get the latest news and updates