PatchSiren cyber security CVE debrief
CVE-2023-42363 Siemens CVE debrief
CVE-2023-42363 is a use-after-free vulnerability in BusyBox's xasprintf function that Siemens and CISA map to affected Siemens SINEC OS firmware on several industrial networking products, including the RUGGEDCOM RST2428P and multiple SCALANCE families. The supplied advisory rates the issue Medium (CVSS 5.5) and indicates denial-of-service impact as the main consequence.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
OT/ICS operators and asset owners running Siemens devices that use SINEC OS firmware, especially the listed RUGGEDCOM and SCALANCE product families. Security teams should also care if they manage firmware baselines, remote access, or maintenance workflows that could expose local-user interaction paths.
Technical summary
The source corpus describes a BusyBox 1.36.1 use-after-free in xfuncs_printf.c:344, specifically in xasprintf. The supplied CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which points to local access with user interaction and high availability impact, with no confidentiality or integrity impact scored. The republished Siemens/CISA advisory also clarifies that only SINEC OS firmware is impacted.
Defensive priority
Medium; prioritize promptly on any exposed or operationally critical Siemens SINEC OS deployment because the impact is availability loss on industrial networking equipment.
Recommended defensive actions
- Update affected devices to SINEC OS V3.3 or later, per Siemens remediation guidance.
- Confirm whether each deployed Siemens product is actually running SINEC OS firmware before scheduling remediation.
- Inventory the listed affected models and firmware versions, including RUGGEDCOM RST2428P and the SCALANCE families named in the advisory.
- Limit local access and operator interaction paths on affected systems until updates are applied.
- Track the Siemens ProductCERT advisory SSA-089022 and CISA advisory ICSA-26-043-06 for product-specific guidance and any further revision history.
Evidence notes
Supported by the Siemens ProductCERT advisory SSA-089022 and CISA republished CSAF advisory ICSA-26-043-06, both referenced in the source item. The corpus explicitly states a BusyBox v1.36.1 use-after-free in xasprintf/xfuncs_printf.c:344, gives the CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, and lists a vendor fix to update to V3.3 or later. The revision history in the supplied source notes a later clarification that only SINEC OS firmware is impacted.
Official resources
-
CVE-2023-42363 CVE record
CVE.org
-
CVE-2023-42363 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the republished CSAF advisory on 2026-01-28 and updated it on 2026-02-25, with intermediate revision history entries on 2026-02-12 and 2026-02-24. Use those advisory dates for operational tracking; do not treat publication or