PatchSiren cyber security CVE debrief
CVE-2024-0193 Siemens CVE debrief
A use-after-free vulnerability in the Linux kernel's netfilter subsystem affects Siemens industrial networking products. The flaw occurs when a catchall element in the pipapo set is garbage-collected during set removal, causing double deactivation and potential use-after-free on NFT_CHAIN or NFT_OBJECT structures. A local attacker with CAP_NET_ADMIN capability could exploit this to escalate privileges. The vulnerability was published on August 12, 2025, with the advisory last modified on February 25, 2026. CISA republished this advisory based on Siemens ProductCERT SSA-613116. Siemens has assessed the impact as 'Misinformed' for affected products, suggesting the vulnerability may not be exploitable in the specific product configurations or that the risk assessment differs from initial reports. No CVSS score is currently available in the source data.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family switches, RUGGEDCOM RST2428P devices, or other affected industrial networking equipment. Security teams managing Linux-based industrial systems with netfilter/nftables configurations. Operators of containerized or virtualized environments where CAP_NET_ADMIN may be granted to less-trusted workloads.
Technical summary
The vulnerability resides in the netfilter subsystem's pipapo set implementation. When a catchall element is garbage-collected during set removal, the element may be deactivated twice. This double-deactivation can trigger use-after-free conditions on NFT_CHAIN or NFT_OBJECT kernel objects. Exploitation requires local access and CAP_NET_ADMIN capability, which is typically restricted to privileged users or container environments with elevated network privileges. Siemens has categorized the impact as 'Misinformed' in their CSAF data, indicating their assessment may differ from the original CVE description or that mitigating factors exist in their product implementations.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-613116 for detailed product-specific impact assessment and patch availability
- Verify CAP_NET_ADMIN capability restrictions on affected Siemens industrial networking devices
- Apply kernel updates or vendor patches when available per Siemens guidance
- Monitor CISA ICS advisories for updates to ICSA-25-226-15
- Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
Evidence notes
Source: CISA CSAF advisory ICSA-25-226-15, republished from Siemens ProductCERT SSA-613116. Impact assessment: 'Misinformed' per threat category in CSAF data. Affected products include RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family. Revision history shows multiple updates through February 2026, including corrections to affected products list and removal of rejected CVEs.
Official resources
-
CVE-2024-0193 CVE record
CVE.org
-
CVE-2024-0193 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12