PatchSiren cyber security CVE debrief
CVE-2023-42366 Siemens CVE debrief
CVE-2023-42366 is a BusyBox heap-buffer-overflow in awk.c next_token() that Siemens republished for affected OT networking products running SINEC OS firmware. The advisory scope includes RUGGEDCOM RST2428P and multiple SCALANCE families, with remediation directing customers to update to V3.3 or later. The published CVSS vector indicates local attack conditions, no privileges required, user interaction required, and availability impact as the primary concern.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
Siemens OT/ICS operators, asset owners, and maintenance teams responsible for RUGGEDCOM and SCALANCE devices running SINEC OS firmware, especially where local interactive access or administrative sessions are possible.
Technical summary
The underlying flaw is a heap-buffer-overflow in BusyBox v1.36.1, specifically in the next_token function in awk.c at line 1159. According to the supplied CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), exploitation is locally constrained, requires user interaction, and is expected to affect availability rather than confidentiality or integrity. Siemens and CISA republished the issue under ICSA-26-043-06 / SSA-089022 and point affected customers to firmware version V3.3 or later.
Defensive priority
Medium priority; higher for critical OT sites or devices that cannot be quickly isolated and updated.
Recommended defensive actions
- Identify whether any Siemens RUGGEDCOM or SCALANCE devices in your environment are running the affected SINEC OS firmware.
- Plan and apply the vendor remediation to update to V3.3 or later, following Siemens guidance for the specific product model.
- Use a maintenance window and verify configuration and backup recovery steps before upgrading firmware on production OT devices.
- Restrict local and interactive access to affected systems until patching is complete, including administrative consoles and any shared operator access.
- Review Siemens ProductCERT advisory SSA-089022 and CISA advisory ICSA-26-043-06 for model-specific remediation notes.
- After remediation, confirm firmware versions and document the asset state for future vulnerability management.
Evidence notes
The source advisory description states: 'A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.' The CISA CSAF republication (ICSA-26-043-06) and Siemens advisory references list affected RUGGEDCOM/SCALANCE products and remediation to V3.3 or later. The revision history also records a clarification that only SINEC OS firmware is impacted. No KEV entry or ransomware association is present in the supplied data.
Official resources
-
CVE-2023-42366 CVE record
CVE.org
-
CVE-2023-42366 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-043-06 on 2026-01-28 and republished updates through 2026-02-25 based on Siemens ProductCERT advisory SSA-089022; those dates provide the advisory timeline for this CVE.