CVE-2025-41224 in RUGGEDCOM RMC8388 V5.X
Summary
by MITRE • 07/08/2025
A vulnerability has been identified in RUGGEDCOM RMC8388 V5.X (All versions < V5.10.0), RUGGEDCOM RMC8388NC V5.X (All versions < V5.10.0), RUGGEDCOM RS416NCv2 V5.X (All versions < V5.10.0), RUGGEDCOM RS416PNCv2 V5.X (All versions < V5.10.0), RUGGEDCOM RS416Pv2 V5.X (All versions < V5.10.0), RUGGEDCOM RS416v2 V5.X (All versions < V5.10.0), RUGGEDCOM RS900 (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RS900G (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RS900GNC(32M) V5.X (All versions < V5.10.0), RUGGEDCOM RS900NC(32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2100 (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2100NC(32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2100P (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2100PNC (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2288 V5.X (All versions < V5.10.0), RUGGEDCOM RSG2288NC V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300 V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300NC V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300P V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300PNC V5.X (All versions < V5.10.0), RUGGEDCOM RSG2488 V5.X (All versions < V5.10.0), RUGGEDCOM RSG2488NC V5.X (All versions < V5.10.0), RUGGEDCOM RSG907R (All versions < V5.10.0), RUGGEDCOM RSG908C (All versions < V5.10.0), RUGGEDCOM RSG909R (All versions < V5.10.0), RUGGEDCOM RSG910C (All versions < V5.10.0), RUGGEDCOM RSG920P V5.X (All versions < V5.10.0), RUGGEDCOM RSG920PNC V5.X (All versions < V5.10.0), RUGGEDCOM RSL910 (All versions < V5.10.0), RUGGEDCOM RSL910NC (All versions < V5.10.0), RUGGEDCOM RST2228 (All versions < V5.10.0), RUGGEDCOM RST2228P (All versions < V5.10.0), RUGGEDCOM RST916C (All versions < V5.10.0), RUGGEDCOM RST916P (All versions < V5.10.0). The affected products do not properly enforce interface access restrictions when changing from management to non-management interface configurations until a system reboot occurs, despite configuration being saved. This could allow an attacker with network access and credentials to gain access to device through non-management and maintain SSH access to the device until reboot.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2025
This vulnerability affects a wide range of ruggedized networking equipment manufactured by RUGGEDCOM, specifically targeting devices running firmware versions prior to V5.10.0 across multiple product lines including RMC8388, RS416, RS900, RSG2100, RSG2288, RSG2300, RSG2488, RSG907R, RSG908C, RSG909R, RSG910C, RSG920P, RSL910, RST2228, and RST916 series. The flaw resides in the device's interface access control mechanism, where the system fails to properly enforce restrictions when transitioning from management to non-management interface configurations. This represents a significant security weakness that could be exploited by adversaries with network access and valid credentials to gain unauthorized access to device management functions.
The technical implementation of this vulnerability stems from improper enforcement of access controls during interface configuration changes. When administrators modify interface settings from management to non-management modes, the system should enforce strict access restrictions to prevent unauthorized access to sensitive management functions. However, the affected devices maintain the ability for authenticated users to access non-management interfaces and subsequently maintain SSH access to the device until a system reboot occurs. This behavior violates fundamental security principles of least privilege and proper access control enforcement, creating a persistent backdoor that remains active across configuration changes.
From an operational impact perspective, this vulnerability creates a persistent threat vector that could be exploited by attackers who have already gained network access and valid credentials to the device. The ability to maintain SSH access across configuration changes until reboot means that even if administrators attempt to secure the device by changing interface configurations, the attacker can continue to maintain access. This could result in prolonged unauthorized access to critical network infrastructure, potentially leading to data exfiltration, network disruption, or use as a pivot point for further attacks within the network. The vulnerability affects devices that are typically deployed in industrial environments where network security is paramount, making the impact particularly severe.
The vulnerability aligns with CWE-284, which describes improper access control, and represents a specific implementation flaw in access control enforcement mechanisms. From an ATT&CK framework perspective, this vulnerability maps to techniques such as T1021.004 (Remote Services: SSH) and T1078.004 (Valid Accounts: Cloud Accounts) as attackers can leverage existing credentials to maintain access. The attack surface is particularly concerning because it requires only network access and valid credentials, making it exploitable by both external attackers and insider threats. Organizations should implement immediate mitigations including upgrading to firmware version V5.10.0 or later, implementing network segmentation, and monitoring for unauthorized interface configuration changes.
The root cause of this vulnerability suggests a failure in the device's access control policy enforcement logic during interface transitions. The system should properly validate and enforce access restrictions whenever interface configurations change, regardless of whether the configuration is saved to persistent storage. This oversight creates a security boundary violation where the device maintains elevated access privileges even after configuration changes that should have restricted access. The lack of proper access control enforcement until reboot creates a window of opportunity for attackers to maintain persistence, making this vulnerability particularly dangerous in environments where these devices are used for critical infrastructure protection. Organizations should consider implementing additional monitoring controls to detect unauthorized access attempts and configuration changes, as well as establishing procedures for immediate firmware updates when vulnerabilities of this nature are identified.