VYPR
advisoryPublished Jul 17, 2026· 1 source

Siemens ROX II Switches Targeted by Chained Zero-Day Exploit Trilogy

Three chained zero-day vulnerabilities in Siemens ROX II OT switches allow attackers to gain persistent root access, posing a significant threat to industrial control systems.

Palo Alto Networks' Unit 42 has disclosed a critical exploit chain comprising three zero-day vulnerabilities affecting Siemens ROX II operational technology (OT) switches. This sophisticated attack allows adversaries to escalate privileges and achieve persistent root-level access on these devices, which are integral to industrial control networks. The vulnerabilities, identified as CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949, range in severity from Medium to Critical, with CVSS 3.1 scores of 6.8, 7.5, and 9.1 respectively.

The exploit unfolds in a three-stage process, beginning with reconnaissance and culminating in complete system compromise. The first vulnerability, CVE-2025-40948, is an arbitrary file disclosure flaw. It leverages an insecure configuration of the xz utility, which runs with root privileges, enabling an attacker to read any file on the switch's file system. This stage is crucial for gathering sensitive information such as configuration files, password hashes, and private cryptographic keys, laying the groundwork for subsequent attacks.

Following the initial reconnaissance, the second vulnerability, CVE-2025-40947, facilitates privilege escalation through command injection. This critical flaw resides within the feature key validation function, which fails to properly sanitize an attacker-controlled payload before incorporating it into a command executed with root privileges. Successful exploitation grants an attacker direct command injection capabilities and full root access to the device.

The final stage involves establishing persistent root code execution using CVE-2025-40949. This vulnerability targets the switch's web management task scheduler. Improper input sanitization allows an authenticated attacker to inject malicious commands into the system's root cron table. This malicious entry ensures that the attacker's code persists across system reboots, maintaining complete control over the compromised OT switch.

Siemens has acknowledged these vulnerabilities and released security advisories SSA-973901, SSA-078743, and SSA-081142. The company recommends that customers update their affected ROX II devices to firmware version V2.17.1 to mitigate these risks. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced Threat Prevention, which offers virtual patching detection signatures, and their OT Device Security solutions.

This research was conducted in close partnership between Palo Alto Networks' OT Threat Research Lab and Siemens, highlighting a growing trend of industry collaboration to enhance the security of critical infrastructure. OT switches, often considered the nervous systems of industrial networks, are vital for communication between devices like HMIs and PLCs. Their security is paramount for maintaining the integrity and availability of industrial operations.

The disclosure underscores that OT devices, even those on air-gapped or isolated networks, are susceptible to software vulnerabilities. The chained exploit demonstrates how seemingly minor flaws can be combined to achieve a full system compromise, transforming a security device into a platform for malicious activity and threatening the operational integrity of industrial networks.

Synthesized by Vypr AI