CVE-2024-56838

CVE

High

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGG…

CVSS

8.6

High

EPSS

0.00

p28

Published

2024-01-01

Updated

2024-01-01

Description

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM ROX RX1501 (All versions < V2.17.0), RUGGEDCOM ROX RX1510 (All versions < V2.17.0), RUGGEDCOM ROX RX1511 (All versions < V2.17.0), RUGGEDCOM ROX RX1512 (All versions < V2.17.0), RUGGEDCOM ROX RX1524 (All versions < V2.17.0), RUGGEDCOM ROX RX1536 (All versions < V2.17.0), RUGGEDCOM ROX RX5000 (All versions < V2.17.0). The SCEP client available in the affected device for secure certificate enrollment lacks validation of multiple fields. An attacker could leverage this scenario to execute arbitrary code as root user.

Tags · CWE

CWE-74

CAPEC-3

CAPEC-6

CAPEC-7

CAPEC-8

CAPEC-9

CAPEC-10

CAPEC-13

CAPEC-14

CAPEC-24

CAPEC-28

CAPEC-34

CAPEC-42

CAPEC-43

CAPEC-45

CAPEC-46

CAPEC-47

CAPEC-51

CAPEC-52

CAPEC-53

CAPEC-64

CAPEC-67

CAPEC-71

CAPEC-72

CAPEC-76

CAPEC-78

CAPEC-79

CAPEC-80

CAPEC-83

CAPEC-84

CAPEC-101

CAPEC-105

CAPEC-108

CAPEC-120

CAPEC-135

CAPEC-250

CAPEC-267

CAPEC-273

Affected products

Ruggedcom_rox_ii_firmware

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

2024-01-01

Published

2024-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Attack Requirements

AT: N

None

Privileges Required

PR: H

High (H)

User Interaction

UI: N

None (N)

Vulnerable System Confidentiality

VC: H

High (H)

Vulnerable System Integrity

VI: H

High (H)

Vulnerable System Availability

VA: H

High (H)

Subsequent System Confidentiality

SC: N

None (N)

Subsequent System Integrity

SI: N

None (N)

Subsequent System Availability

SA: N

None (N)

Exploit Code Maturity

E: X

Not Defined

Confidentiality Requirement

CR: X

Not Defined

Integrity Requirement

IR: X

Not Defined

Availability Requirement

AR: X

Not Defined

Modified Attack Vector

MAV: X

Not Defined

Modified Attack Complexity

MAC: X

Not Defined

Modified Attack Requirements

MAT: X

Not Defined

Modified Privileges Required

MPR: X

Not Defined

Modified User Interaction

MUI: X

Not Defined

Modified Vulnerable System Confidentiality

MVC: X

Not Defined

Modified Vulnerable System Integrity

MVI: X

Not Defined

Modified Vulnerable System Availability

MVA: X

Not Defined

Modified Subsequent System Confidentiality

MSC: X

Not Defined

Modified Subsequent System Integrity

MSI: X

Not Defined

Modified Subsequent System Availability

MSA: X

Not Defined

S: X

AU: X

R: X

V: X

RE: X

U: X

Exploit indicators

EPSS

0.004 · p28

Known exploited (KEV)

MITRE ATT&CK

Inferred via CAPEC

T1027Obfuscated Files or Information

└ via CAPEC-267 · CWE-74

T1574.006Dynamic Linker Hijacking

└ via CAPEC-13 · CWE-74

T1574.007Path Interception by PATH Environment Variable

└ via CAPEC-13 · CWE-74

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

Affected products

Siemens

Ruggedcom Rox Ii Ruggedcom Rox Ii Firmware

Product	Vendor	Status
ruggedcom_rox_ii_firmware	*	Tracked

Source databases

CVE

Related vulnerabilities

BDU:2025-15628

External references

https://cert-portal.siemens.com/productcert/html/ssa-912274.html