惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

AI
AI
G
Google Developers Blog
T
Tailwind CSS Blog
大猫的无限游戏
大猫的无限游戏
量子位
月光博客
月光博客
美团技术团队
阮一峰的网络日志
阮一峰的网络日志
罗磊的独立博客
T
The Exploit Database - CXSecurity.com
C
CXSECURITY Database RSS Feed - CXSecurity.com
Latest news
Latest news
P
Privacy International News Feed
www.infosecurity-magazine.com
www.infosecurity-magazine.com
WordPress大学
WordPress大学
博客园 - 三生石上(FineUI控件)
TaoSecurity Blog
TaoSecurity Blog
Hacker News: Ask HN
Hacker News: Ask HN
Hugging Face - Blog
Hugging Face - Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
Cisco Blogs
Project Zero
Project Zero
Security Latest
Security Latest
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
人人都是产品经理
人人都是产品经理
Scott Helme
Scott Helme
S
Securelist
有赞技术团队
有赞技术团队
T
Threat Research - Cisco Blogs
N
News | PayPal Newsroom
博客园 - 聂微东
小众软件
小众软件
S
SegmentFault 最新的问题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Privacy & Cybersecurity Law Blog
博客园 - Franky
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Spread Privacy
Spread Privacy
A
Arctic Wolf
S
Security @ Cisco Blogs
The Hacker News
The Hacker News
腾讯CDC
博客园 - 【当耐特】
T
Troy Hunt's Blog
NISL@THU
NISL@THU
爱范儿
爱范儿

Unit 42

AI, Automation and Attacks: Unpacking the Unit 42 2026 Global Incident Response Report TuxBot v3: Inside an IoT Botnet Framework With LLM-Assisted Development No Manners Here: The Ruthless Rise of The Gentlemen Ransomware Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation How We Added WebAuthn to a Browser-Based RDP Client Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat The Global Namespace Risk: Universal Bucket Hijacking Technique for Cloud Data Exfiltration Threat Brief: Mitigating Large-Scale Credential Attacks Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE Inside the Modern SOC: The 72-Minute Race Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered Trust No Skill: Integrity Verification for AI Agent Supply Chains Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility When “Hi, This Is IT” Comes Through Microsoft Teams Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface Out of the Crypt: The Evolving Cyber Extortion Economy Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns Paved With Intent: ROADtools and Nation-State Tactics in the Cloud Tracking TamperedChef Clusters via Certificate and Code Reuse Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years Essential Data Sources for Detection Beyond the Endpoint That AI Extension Helping You Write Emails? It’s Reading Them First TGR-STA-1030: New Activity in Central and South America Frontier AI and the Future of Defense: Your Top Questions Answered Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System
Three Steps to the Terminal: A Siemens ROX II Zero-Day Trilogy
Emmanuel Zhou, Adam Robbie, Rick Wyble, Miguel Pereira · 2026-07-17 · via Unit 42

Executive Summary

We conducted this research in close partnership with Siemens, reflecting our shared commitment to advancing the security and resilience of critical infrastructure.

This report details a critical, chained exploit comprising three zero-day vulnerabilities (CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949) discovered in Siemens ROX II operational technology (OT) switches. Successful exploitation of this chain would allow an attacker to achieve full privilege escalation and persistent root-level access on these devices, which are critical components of industrial control networks. The vulnerabilities range from Medium to Critical severity, with CVSS 3.1 scores of 6.8 (CVE-2025-40948), 7.5 (CVE-2025-40947), and 9.1 (CVE-2025-40949).

The attack vector proceeds in three stages, escalating from reconnaissance to complete system compromise:

  • Arbitrary file disclosure (CVE-2025-40948): An attacker leverages an insecure configuration of the xz utility, which executes with root privileges, to read any file on the switch’s file system. This vulnerability enables initial reconnaissance that could reveal critical information such as sensitive configuration files, password hashes and private cryptographic keys.
  • Privilege escalation via command injection (CVE-2025-40947): This critical flaw resides in the feature key validation function. The function fails to sanitize an attacker-controlled payload before inserting it directly into a command executed with root privileges. Exploiting this allows for direct command injection and full root access.
  • Persistent root code execution (CVE-2025-40949): Following privilege escalation, the final vulnerability is exploited in the switch’s web management task scheduler. Improper input sanitization allows an authenticated attacker to inject malicious commands into the system’s root cron table. This establishes persistent code execution, surviving system reboots and maintaining full control.

These vulnerabilities could collectively transform a vital network security device into a platform for malicious activity, severely threatening the integrity and availability of the industrial network. Siemens has released security advisories SSA-973901, SSA-078743 and SSA-081142 to address these issues, which recommend that customers update their affected ROX II devices to firmware version V2.17.1.

Palo Alto Networks customers are better protected against these threats through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Partnership Overview

The Palo Alto Networks OT Threat Research Lab and Siemens partnered to advance the security and resilience of critical infrastructure through collaborative vulnerability research on the Ruggedcom ROX II platform. We combined the OT Threat Research Lab’s expertise in industrial cybersecurity research with Siemens’ deep product knowledge and the coordination capabilities of Siemens ProductCERT. These teams worked together to identify, validate, remediate and responsibly disclose security vulnerabilities.

This collaboration reflects the growing importance of industry partnerships in securing OT environments. As critical infrastructure enters the AI era, organizations must work together more closely than ever to address emerging threats, accelerate vulnerability remediation and strengthen the security of the technologies that support essential services worldwide. This partnership demonstrates how coordinated research and responsible disclosure can help build a more resilient and secure future for critical infrastructure.

The Role of OT Switches

The modern OT environment is a complex network of devices working in concert. At the heart of this connectivity are OT switches, which act as the nervous systems of industrial networks, directing communication between critical assets like human-machine interfaces (HMIs) and programmable logic controllers (PLCs).

Protecting the integrity and availability of these switches is paramount for any industrial operation, be it a factory floor or a power plant. For instance, a properly configured OT switch provides crucial network segmentation, which enhances security by isolating different parts of the network while still allowing necessary communication.

However, OT switches designed to secure the network can themselves become attack surfaces. A common misconception is that because these devices are often air-gapped or sit on isolated networks, they’re inherently safe. In reality, they are just as susceptible to software vulnerabilities as any other IT equipment, allowing an unprivileged attacker to exploit software flaws, escalate privileges and disrupt OT communication.

This threat research article demonstrates how seemingly benign flaws can be exploited to initiate a chain of events. In this case, this could lead to full control of the critical OT switch operating system ROX II.

The Impact: From Innocuous to Hostile

Arbitrary File Disclosure

The first vulnerability, CVE-2025-40948, is an arbitrary file disclosure vulnerability. While not immediately devastating, this flaw provides vital intelligence by revealing sensitive information on the switch operating system (OS), from password hashes to network topology data. This initial foothold is a crucial step in a sophisticated attack.

Privilege Escalation and Root Access

The second vulnerability, CVE-2025-40947, is the pivotal privilege escalation flaw. We identified this vulnerability by carefully analyzing the switch’s feature key functionality, a mechanism designed to unlock optional capabilities. By reverse-engineering this feature, we discovered a way to exploit its internal logic and gain root access. This vulnerability grants an attacker total control, bypassing available security measures and transforming the switch into a platform for malicious activity.

Persistence via Task Scheduling

The third vulnerability, CVE-2025-40949, solidifies the attacker’s control by exploiting the switch’s task scheduling functionality. An authenticated attacker can schedule malicious scripts to run with root privilege at predetermined intervals, ensuring persistence even after a reboot. This allows for ongoing malicious activity, such as data exfiltration or denial-of-service attacks, making the compromise difficult to detect or remove.

Exploit Chain Part 1: Exploiting CVE-2025-40948, Then Misusing xz for File System Information Disclosure

During the initial analysis of the switch’s publicly available firmware, we worked with Siemens researchers and located a key configuration file associated with a privileged daemon. This file is used by a management and configuration daemon running with root privileges on the switch’s operating system. As a root-privileged process, it can perform any action on the system, including reading and writing any file.

Using CVE-2025-40948 to Misuse xz for Arbitrary File Disclosure

The xz command is a common Linux utility primarily used for compressing files into the XZ format with a highly effective compression algorithm. However, xz can be used with specific parameters to function like the standard Linux cat command, which is used to print files to standard output. By supplying the parameters -f, -c and -d at the same time, an attacker can instruct xz to view file contents.

The CVE-2025-40948 vulnerability lies in the privileged daemon executing the xz command with user-provided parameters. Since the process runs as root, an attacker can pass any file path to xz, allowing it to read any file on the file system, including those normally inaccessible to regular users.

The Impact: Unrestricted File Access

This insecure configuration creates a significant arbitrary file disclosure vulnerability. An attacker can leverage this to:

  • Read sensitive configuration and system files containing credential information
  • Access private keys or other cryptographic materials
  • Gather information about the system and network, paving the way for further attacks

In the case of the ROX II switch, this oversight would have allowed an attacker to leak the contents of any file on the file system. This highlights the importance of carefully vetting all commands executed by privileged processes and ensuring that user input is never used to construct commands insecurely.

Exploit Chain Part 2: Exploiting CVE-2025-40947, the Feature Key for Root Access

The Feature Key Mechanism

To understand CVE-2025-40947, we must first understand how the Siemens feature key mechanism works. A feature key is a cryptographically signed license that enables specific functionalities on the switch. When a customer purchases a license, Siemens provides a signature (i.e., the feature key) that the customer installs on the device. The switch then uses a pre-installed public key to verify the feature key’s authenticity and enable the corresponding features. This process is intended to be secure, but our analysis revealed a critical flaw in its implementation.

How the Vulnerability Works

By reverse engineering the feature key handling library (responsible for installation), we identified the CVE-2025-40947 vulnerability in its signature verification function. This function is responsible for validating the signature provided in the feature key. The function involves three important steps:

  1. Read and parse: The function reads from the feature key file and parses a signature line containing up to a fixed number of characters
  2. Command preparation: It then prepares a Linux command to verify the signature using the gpgv utility, inserting the parsed signature string directly into the command
  3. Command execution: Finally, it executes the constructed command using system() with root privileges

The code excerpt in Figure 1 shows how the signature is copied into the command string before being executed. This is the root cause of the command injection vulnerability, as there is no sanitization or validation of the input signature before it is inserted into the command string.

A screenshot of a code snippet showing potential security vulnerabilities. The code is commented in steps, demonstrating how an attacker could manipulate a command string to execute code as root. Vulnerabilities include lack of sanitization and command injection possibilities.
Figure 1. Code excerpt showing how the signature is copied into the command string.

CVE-2025-40947 Exploitation in Practice

To exploit this vulnerability, an attacker needs to craft a payload that fits within the signature field size limit. The exploitation process involves two main steps:

  1. File upload: The attacker first uses the web UI’s normal file upload functionality for a feature key to upload a malicious script (e.g., a Python reverse shell) to a writable directory on the switch.
  2. Command injection: Next, the attacker crafts a new feature key file where the signature field contains a command injection payload. This payload is designed to execute the malicious script that was previously uploaded. For example, a payload like $(python /tmp/rev_shell.py) could be used, where /tmp/rev_shell.py is the uploaded script.

When the attacker uploads this specially crafted feature key, the vulnerable verification function will execute the injected command with root privileges, giving the attacker a reverse shell and full control over the device. This attack vector highlights the importance of robust input validation and secure coding practices, especially when handling external data and executing system commands.

Exploit Chain Part 3: Exploiting CVE-2025-40949, Persistence via System Scheduling

Following the initial privilege escalation, we discovered a third critical vulnerability, CVE-2025-40949, in the Siemens ROX II switch's system scheduling functionality. This flaw allows an authenticated attacker to establish persistent execution of arbitrary commands with root privileges.

CVE-2025-40949 Vulnerability Details

The vulnerability resides in the switch’s system task scheduler, which is used to automate periodic command execution. An authenticated attacker can manipulate input fields within the web management interface used to configure scheduled tasks.

Due to improper sanitization and validation of user-supplied data, the attacker can inject control characters and commands into the underlying system configuration file responsible for task execution. This technique results in a command injection attack executed with root privileges. The impact is persistent code execution as the root user, enabling long-term compromise that survives system reboots and maintains control over the device.

Exploit Chain Proof of Concept (PoC)

Exploiting this vulnerability involves several steps that an authenticated attacker can perform via the web management interface. This high-level summary demonstrates how persistent root access is achieved.

  • Step 1 - Prepare the malicious code: The attacker prepares malicious code, such as a script designed for communication or system manipulation. This payload is stored in a location accessible by the switch's operating system.
  • Step 2 - Inject the command: The attacker uses the task scheduler interface to create a new scheduled task. By crafting a special input string for some of the task configuration fields, the attacker is able to inject an execution command. This command is structured to overwrite or bypass the intended task parameters, causing the system to execute the attacker’s payload instead of a legitimate function.
  • Step 3 - Execute and achieve persistence: Once the configuration is saved, the scheduled task mechanism processes the injected command. This results in the execution of the attacker’s prepared code with root privileges, achieving persistent control over the device. This control remains active through system operations, allowing for ongoing malicious activity.

Conclusion

The discovery and mitigation of these three chained zero-day vulnerabilities in Siemens ROX II switches highlight the necessity of collaborative vulnerability research between vendors and security researchers. By working together to identify and remediate flaws that could allow full system compromise, the industry can better protect the critical infrastructure that underpins essential services.

To protect the intricate and interconnected OT environment, organizations must execute a defense-in-depth strategy. This methodology must combine timely firmware updates with compensating controls, such as virtual patching.

Palo Alto Networks Protection and Mitigation

While applying vendor-provided security updates remains the recommended long-term remediation, organizations may require additional time to test and deploy patches within OT environments.

Next-Generation Firewall with Advanced Threat Prevention

Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attacks with best practices via the following Threat Prevention signatures 97246, 97250, 97249.

OT Security

OT Device Security provides deep visibility and AI-powered inline protection for industrial environments, securing critical OT assets and legacy systems without requiring downtime.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 000 800 050 45107
  • South Korea: +82.080.467.8774

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Behavior

System behavior indicators:

  • Unusual task scheduler entries:
    • Description: Unexpected scripts or commands injected into the switch’s system configuration files or task scheduler configuration. These are typically characterized by the execution of arbitrary commands (e.g., python, bash or direct system calls) instead of legitimate task functions.
  • Abnormal use of the xz utility:
    • Description: Execution of xz with parameters -f, -c and -d by the privileged configuration daemon. This indicates an attempt to read files on the file system that are not normally accessible to the user.

Additional Resources

Adam Robbie, Head of OT Threat Research, Emmanuel Zhou, Sr. Staff Researcher and Rick Wyble, OT Security Researcher, are researchers affiliated with the Palo Alto Networks Advanced Research Center for OT. Miguel Pereira is from Siemens ProductCERT.