OT cybersecurity case study: Flaws found and fixed in widely used industrial network devices

Disclosure, patch, and prevention

We reported the findings to Siemens on March 19, 2025, and worked with their ProductCERT team.

Siemens issued an initial advisory (SSA-301229) and released a patch on May 13, 2025, for the remote code execution vulnerability. A second patch addressing the file upload issue occurred in June, followed by full public disclosure.

We appreciate Siemens’ quick and professional response and coordination with CISA (advisory ICSA-25-135-17).

Lessons for OT security leaders

These findings are a reminder that built-in diagnostic tools can become dangerous entry points when paired with weak input validation. OT systems must be continuously assessed—not just for perimeter defenses, but for internal misconfigurations, default settings, and overlooked features that can be chained together in unanticipated ways.

Q&A: Could a software vendor be on the hook if your company’s systems get hacked?

In this case, while the exploit requires authentication, the use of weak or default credentials remains a common risk factor found on many RMC assessments, particularly in OT environments. Strengthening password hygiene and changing vendor defaults are essential first steps.

Network segmentation and other compensating controls also play a critical role—especially for devices that may be inherently insecure by design. Even when a device is deployed in a ruggedized or hardened environment, assumptions about trust boundaries can lead to exploitable gaps if layered defenses aren’t enforced.

Key takeaways:

Restrict administrative web access to secured internal networks.
Harden web interfaces and verify input validation mechanisms.
Enforce strong password practices and eliminate default credentials.
Segment networks and apply layered access controls to limit attacker movement.
Regularly apply vendor patches and monitor for ICS advisories.
Consider third-party penetration testing for OT environments.

Recent advisories from CISA further underscore how frequently vulnerabilities are identified across industrial control devices, including Siemens’ broader RuggedCom and SCALANCE product lines.

Whether the threat is tied to improper privilege checks, cross-site scripting, or file upload paths, the message is clear: Securing OT infrastructure demands continuous review, even of trusted diagnostic tools and interfaces.

Staying ahead of industrial threats

As OT and IT continue to converge, vulnerabilities like these will become more prevalent, especially as attackers look for novel paths into hardened industrial networks. Keeping pace with these threats requires not just finding vulnerabilities but taking steps to remediate them before they’re exploited in the wild.

Podcast: Why IT and OT remain out of sync and how manufacturers can bridge that gap

For manufacturers, utilities, and operators using RuggedCom ROXOS II devices, patching to version 2.16.5+ is essential. More broadly, it’s a wake-up call to revisit the security of “legacy” tools and overlooked features inside your operational stack.

For a more technical breakdown of the exploit chain, including disclosure timeline, attack steps, and remediation details, visit our full blog post.