PatchSiren cyber security CVE debrief
CVE-2023-5178 Siemens CVE debrief
A use-after-free vulnerability exists in the NVMe-oF/TCP subsystem of the Linux kernel, specifically in the `nvmet_tcp_free_crypto` function within `drivers/nvme/target/tcp.c`. The vulnerability stems from a logical bug that can lead to use-after-free and double-free conditions. According to the source advisory, this issue may allow a malicious local privileged user to achieve remote code execution or local privilege escalation. The vulnerability was published on August 12, 2025, with the most recent modification on February 25, 2026. Siemens has identified this vulnerability as affecting multiple product families including RUGGEDCOM RST2428P and SCALANCE networking equipment families. Notably, the source advisory marks the impact assessment as 'Misinformed' for the affected products, suggesting potential clarification or correction in the vulnerability's applicability to these specific Siemens products. The advisory has undergone multiple revisions, with the most recent update on February 25, 2026, reflecting ongoing assessment and correction of affected product listings.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking equipment (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family) with NVMe-oF/TCP functionality enabled. System administrators managing Linux-based industrial systems with NVMe target configurations. Security teams responsible for OT/ICS infrastructure where kernel-level vulnerabilities may impact operational availability.
Technical summary
The vulnerability resides in the NVMe over Fabrics TCP target implementation (`nvmet_tcp_free_crypto`) in the Linux kernel. A logical bug in the NVMe-oF/TCP subsystem can trigger use-after-free and double-free memory corruption conditions. The attack vector requires local privileged access, with potential outcomes including remote code execution or local privilege escalation. The affected code path involves cryptographic resource cleanup in the TCP transport layer of the NVMe target subsystem.
Defensive priority
high
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-613116 for definitive product impact assessment, as the source advisory marks impact as 'Misinformed'
- Verify kernel version and NVMe-oF/TCP subsystem configuration on affected Siemens devices
- Apply vendor-provided firmware updates when available through Siemens ProductCERT channels
- Implement network segmentation for industrial control systems per CISA recommended practices
- Monitor for anomalous privileged user activity on systems with NVMe-oF/TCP enabled
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-25-226-15, which references Siemens ProductCERT advisory SSA-613116. The threat category in the source is marked as 'Misinformed' for affected product IDs CSAFPID-0001, CSAFPID-0003, and CSAFPID-0004. The advisory revision history shows four updates, with the latest on 2026-02-25 specifically noting a 'CISA Republication update based on Siemens ProductCERT SSA-613116 advisory'.
Official resources
-
CVE-2023-5178 CVE record
CVE.org
-
CVE-2023-5178 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12