Cyber Resilience

CVE-2025-40949

HighRCEUpdated

Published: 12 May 2026

Published
12 May 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-40949 is a high-severity OS Command Injection (CWE-78) vulnerability in Siemens Ruggedcom Rox Mx5000 Firmware. Its CVSS base score is 8.9 (High).

Operationally, ranked at the 41.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.1), RUGGEDCOM ROX MX5000RE (All versions < V2.17.1), RUGGEDCOM ROX RX1400 (All versions < V2.17.1), RUGGEDCOM ROX RX1500 (All versions < V2.17.1), RUGGEDCOM ROX RX1501 (All versions <…

more

V2.17.1), RUGGEDCOM ROX RX1510 (All versions < V2.17.1), RUGGEDCOM ROX RX1511 (All versions < V2.17.1), RUGGEDCOM ROX RX1512 (All versions < V2.17.1), RUGGEDCOM ROX RX1524 (All versions < V2.17.1), RUGGEDCOM ROX RX1536 (All versions < V2.17.1), RUGGEDCOM ROX RX5000 (All versions < V2.17.1). Affected devices do not properly sanitize user-supplied input in the Scheduler functionality of the Web UI, allowing commands to be injected into the task scheduling backend. This could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system.

CWE(s)

Related Threats

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-41276Shared CWE-78
CVE-2026-28463Shared CWE-78
CVE-2024-55590Shared CWE-78
CVE-2026-23678Shared CWE-78
CVE-2025-56089Shared CWE-78
CVE-2025-56087Shared CWE-78
CVE-2025-10230Shared CWE-78
CVE-2026-27635Shared CWE-78
CVE-2026-28470Shared CWE-78

Affected Assets

siemens
ruggedcom rox mx5000 firmware
≤ 2.17.1
siemens
ruggedcom rox mx5000re firmware
≤ 2.17.1
siemens
ruggedcom rox rx1400 firmware
≤ 2.17.1
siemens
ruggedcom rox rx1500 firmware
≤ 2.17.1
siemens
ruggedcom rox rx1501 firmware
≤ 2.17.1
siemens
ruggedcom rox rx1510 firmware
≤ 2.17.1
siemens
ruggedcom rox rx1511 firmware
≤ 2.17.1
siemens
ruggedcom rox rx1512 firmware
≤ 2.17.1
siemens
ruggedcom rox rx1524 firmware
≤ 2.17.1
siemens
ruggedcom rox rx1536 firmware
≤ 2.17.1
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References