This vulnerability (CVE-2025-40949) affects Siemens RUGGEDCOM ROX MX5000 series devices running versions earlier than 2.17.1. It is caused by improper neutralization of special elements in the Scheduler feature of the Web UI, which allows authenticated remote attackers to inject OS commands. Successful exploitation results in arbitrary command execution with root privileges on the device's operating system. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and significant impact on confidentiality, integrity, and availability. Siemens has published the vulnerability but has not yet provided an official fix or remediation details.

An authenticated remote attacker can execute arbitrary OS commands with root privileges on affected Siemens RUGGEDCOM ROX MX5000 devices. This can lead to full system compromise, including unauthorized access, data manipulation, and denial of service. The vulnerability affects device integrity, confidentiality, and availability. No known exploits are currently reported in the wild.

Patch status is not yet confirmed — check the Siemens vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the Scheduler functionality in the Web UI to trusted administrators only and monitor for suspicious activity. Avoid exposing management interfaces to untrusted networks. Follow Siemens' future advisories for updates on patches or mitigations.