CVE-2025-41224 is a high-severity vulnerability affecting multiple Siemens RUGGEDCOM ruggedized network devices running firmware versions prior to 5.10.0. The vulnerability stems from a protection mechanism failure (CWE-693) where the devices do not properly enforce interface access restrictions when transitioning configurations from management interfaces to non-management interfaces. Specifically, even after saving the configuration changes that should restrict access, the enforcement does not take effect until the device undergoes a reboot. This flaw allows an attacker who has network access and valid credentials to continue accessing the device via non-management interfaces, including maintaining SSH sessions, until the device is rebooted. The vulnerability affects a broad range of RUGGEDCOM devices, including models such as RMC8388, RS416 series, RS900 series, RSG2100 series, RSG2288, RSG2300 series, RSG2488, RSG907R, RSG908C, RSG909R, RSG910C, RSG920P series, RSL910, RST2228 series, and RST916 series. The CVSS v3.1 base score is 8.8, indicating a high severity with attack vector being adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability all rated high. This means an attacker on the same or connected network segment can exploit this vulnerability without prior authentication or user interaction, potentially gaining persistent unauthorized access and control over critical network devices until a reboot occurs. Given the critical role of RUGGEDCOM devices in industrial control systems, utilities, and critical infrastructure, this vulnerability poses a significant risk for operational disruption and unauthorized network access.

For European organizations, especially those operating critical infrastructure such as energy grids, transportation networks, and industrial automation systems, this vulnerability presents a substantial threat. Siemens RUGGEDCOM devices are widely deployed in Europe for their ruggedness and reliability in harsh environments. An attacker exploiting this vulnerability could maintain unauthorized SSH access to network devices that manage critical communication paths, potentially leading to data exfiltration, manipulation of network traffic, or disruption of control systems. The persistence of access until reboot means that even after configuration changes intended to restrict access, the attacker can continue operations undetected for extended periods. This could facilitate lateral movement within industrial networks, sabotage, or espionage. The high impact on confidentiality, integrity, and availability could result in operational downtime, safety hazards, regulatory non-compliance, and financial losses. Moreover, the vulnerability does not require user interaction or privileges, increasing the likelihood of exploitation in environments where network segmentation is insufficient or where attackers have gained initial footholds.

1. Immediate firmware upgrade to version 5.10.0 or later on all affected Siemens RUGGEDCOM devices to ensure proper enforcement of interface access restrictions. 2. Until patching is possible, enforce strict network segmentation and access control lists (ACLs) to limit network access to management interfaces only from trusted hosts and networks. 3. Implement continuous monitoring of SSH sessions and network traffic on RUGGEDCOM devices to detect anomalous or unauthorized access patterns. 4. Schedule regular device reboots after configuration changes to ensure that access restrictions are enforced promptly. 5. Employ multi-factor authentication (MFA) for device access where supported to reduce risk from credential compromise. 6. Conduct thorough audits of device configurations and access logs to identify any unauthorized access attempts or persistence. 7. Coordinate with Siemens support and security advisories for any additional mitigations or updates. 8. Incorporate this vulnerability into incident response plans, emphasizing rapid detection and containment of unauthorized access on industrial network devices.