Bosch Rexroth Security Advisories

Vulnerabilities in Rexroth IndraWorks

2026-02-13T00:00:00

BOSCH-SA-591522: Trend Micro has identified multiple vulnerabilities in Rexroth IndraWorks which affect both, IndraWorks and utilities that are shipped as part of the package. In a worst case scenario, a successful attack leads to a remote code execution.

Vulnerabilities in ctrlX OS - Setup

2025-08-14T00:00:00

BOSCH-SA-129652: Vulnerabilities in ctrlX OS - Setup

Denial of Service on Rexroth Fieldbus Couplers

2025-08-14T00:00:00

BOSCH-SA-757244: Several fieldbus couplers sold by Bosch Rexroth contain technology from Phoenix Contact. The manufacturer published a security bulletin about a weakness in the web-based administration interface. A successful attack leads to an overload of the device and the hardware watchdog is triggered. Process data behaves according to the configured substitute value behavior. The bus coupler requires a manual restart (resetting the power supply, pressing the reset button or executing the SNMP reset command) to reestablish communication within the Industrial Ethernet (e.g. PROFINET IO, Modbus/TCP, EtherNet/IP).

Multiple ctrlX OS vulnerabilities

2025-04-25T00:00:00

BOSCH-SA-640452: The base ctrlX OS apps Device Admin and Solutions contain multiple vulnerabilities. In a worst case scenario, a remote authenticated (low-privileged) attacker might be able to execute arbitrary OS commands running with higher privileges. The vulnerabilities have been uncovered and disclosed responsibly by Nozomi. We thank them for making a responsible disclosure with us.

Multiple vulnerabilites in libexpat affecting PRC7000

2024-10-02T00:00:00

BOSCH-SA-200802: Multiple vulnerabilities were discovered in the open source library \"libexpat\", affecting the XML parser functionality. These vulnerabilities allow for integer overflows and invalid negative values for buffer sizes. As this may affect the \"Import\" and \"Restore\" functionality - which use libexpat to parse XML files - of the device, updating the firmware is strongly advised.

"regreSSHion" OpenSSH vulnerability in PRC7000

2024-07-19T00:00:00

BOSCH-SA-248444: The Qualys Threat Research Unit (TRU) has discovered a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems. The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration. (excerpt from https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server)

Multiple vulnerabilities in Nexo cordless nutrunner

2024-01-29T00:00:00

BOSCH-SA-711465: The Nexo cordless nutrunner running NEXO-OS V1500-SP2 has some vulnerabilities which allows an attacker: - to read/upload/download/delete arbitrary files in all paths of the system, - to inject and execute arbitrary client-side script code, arbitrary HTTP response headers or manipulate HTTP response bodies inside a victim's session, - to authenticate to the web application with high privileges or SSH service with root privileges through multiple hidden hard-coded accounts, - to read or update arbitrary content of the authentication or results database, - to perform a Denial-of-Service (DoS) attack or, possibly, obtain Remote Code Execution (RCE), - to upload a malicious file to the SD card containing arbitrary client-side script code and obtain its execution inside a victim's session, - to access sensitive data inside exported packages or obtain up to Remote Code Execution (RCE) with root privileges on the device, - to send malicious network requests containing arbitrary client-side script code and obtain its execution inside a victim's session, - to perform actions exceeding their authorized access.

Multiple vulnerabilities on ctrlX HMI / WR21

2023-11-21T00:00:00

BOSCH-SA-175607: The operating system of the ctrlX HMI/ WR21 before build date 20231107 has some vulnerabilities when the kiosk mode is used in conjunction with Google Chrome. Therefore, it is possible in worst case that an attacker with physical access to the device can get root access without normal authentication borders. Additionally, the \"Android Agent\" application which is an onboard application of ctrlX HMI/ WR21 before build date 20231107 contains some weaknesses regarding the execution of arbitrary commands on the device. All weaknesses were eliminated in the newest firmware version which can be updated on the existing devices.

Vulnerability in routers FL MGUARD and TC MGUARD

2023-03-03T00:00:00

BOSCH-SA-931197: Possible denial of service on HTTPS management interface The FL MGUARD and TC MGUARD devices sold by Bosch Rexroth are devices from Phoenix Contact that have been introduced as trade goods. A security advisory has been published by the manufacturer, which indicates that a denial of service of the HTTPS management interface of that devices can be triggered by a larger number of unauthenticated HTTPS connections, incoming from different source IP's \[1\]. Configuring firewall limits for incoming connections cannot prevent the issue. During the attack, the HTTPS management interface is no more accessible for valid users. Additionally, there may be an impact on the performance of other services of the FL MGUARD or TC MGUARD device. An unexpected reboot of the device is possible. Parts No. Parts Shorttext PxC No. Article ------------ ----------------------- --------- ----------------------------- R901351745 FL MGUARD RS4000 TX/& 2700634 FL MGUARD RS4000 TX/TX R901352542 FL MGUARD RS4000 VPN& 2200515 FL MGUARD RS4000 TX/TX VPN R901541498 TC MGUARD RS4000 4G & 2903586 TC MGUARD RS4000 4G VPN R911173814 FL MGUARD RS4000 TX/& 2200515 FL MGUARD RS4000 TX/TX VPN R911173815 TC MGUARD RS2000 3G & 2903441 TC MGUARD RS2000 3G VPN R911173816 TC MGUARD RS4000 3G & 2903440 TC MGUARD RS4000 3G VPN R911173817 FL MGUARD DELTA TX/T& 2700967 FL MGUARD DELTA TX/TX R911173818 FL MGUARD SMART2 VPN 2700639 FL MGUARD SMART2 VPN R913050362 FL MGUARD RS4004 TX/& 2701876 FL MGUARD RS4004 TX/DTX R913051602 FL MGUARD RS4004 TX/& 2701877 FL MGUARD RS4004 TX/DTX VPN R913056204 FL MGUARD RS2000 TX/& 2702139 FL MGUARD RS2000 TX/TX-B R913058931 FL MGUARD RS2000 TX/& 2700642 FL MGUARD RS2000 TX/TX VPN R913066122 TC MGUARD RS2000 4G & 2903588 TC MGUARD RS2000 4G VPN R913076699 FL MGUARD RS4000 TX/& 2700634 FL MGUARD RS4000 TX/TX

Vulnerabilities in the communication protocol of the PLC runtime

2022-10-11T00:00:00

BOSCH-SA-577411: The PLC application of the control systems ctrlX CORE, IndraLogic, IndraMotion MTX, IndraMotion MLC and IndraMotion MLD contains PLC technology from CODESYS GmbH. The manufacturer CODESYS GmbH published multiple security bulletins \[1\], \[2\], \[3\], \[4\], \[5\]. By exploiting the vulnerabilities in the protocol for the communication between the PLC runtime and clients, attackers can send crafted communication packets which may result in a stop of the web server communication of the PLC runtime or a temporary blocking of the communication to the PLC runtime. Please see the following table for a quick overview about the affected products. CVE CODESYS Advisory ctrlX CORE PLC IndraMotion MLC/MLD/MTX, IndraLogic -------------------------------- ------------------ ---------------------- -------------------------------------------------- CVE-2022-22519 2022-07 affected (\<= 01V16) not affected CVE-2022-22513, CVE-2022-22514 2022-06 not affected affected only when user management is disabled CVE-2022-22517 2022-04 affected (\<= 01V16) affected CVE-2022-22515 2022-02 not affected affected only when user management is disabled