PatchSiren cyber security CVE debrief
CVE-2024-26673 Siemens CVE debrief
A vulnerability in the Linux kernel's netfilter nft_ct subsystem allowed improper handling of layer 3 and layer 4 protocol numbers in custom connection tracking expectations. The flaw was resolved by adding sanitization checks to validate these protocol numbers. Siemens has assessed this CVE as **Misinformed** for its affected industrial networking products, indicating the vulnerability does not apply to the listed product configurations.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Operators of Siemens SCALANCE and RUGGEDCOM industrial networking equipment running SINEC OS; Linux kernel maintainers and security teams managing netfilter/iptables/nftables deployments; OT security practitioners tracking CISA ICS advisories.
Technical summary
The vulnerability exists in the Linux kernel's netfilter framework, specifically within the nft_ct (netfilter connection tracking) module's handling of custom expectations. Custom expectations allow firewall rules to anticipate related connections (e.g., FTP data channels). The flaw involved insufficient validation of layer 3 (network layer) and layer 4 (transport layer) protocol numbers when creating these expectations. Without proper sanitization, invalid or unexpected protocol values could be processed, potentially leading to undefined behavior in connection tracking state management. The fix implements proper bounds checking and validation of protocol numbers before they are used in expectation structures. For Siemens products specifically, this CVE has been determined not to be exploitable in the supported configurations.
Defensive priority
low
Recommended defensive actions
- Verify current SINEC OS version on affected Siemens devices; ensure version 3.1 or later is deployed as earlier versions are unsupported
- Review CISA ICS recommended practices for defense-in-depth strategies in industrial control environments
- Monitor Siemens ProductCERT advisories for any future reassessment of this CVE's applicability
- Apply standard Linux kernel security updates through vendor channels if running affected kernel versions in non-Siemens environments
Evidence notes
The source advisory (ICSA-25-226-15) explicitly categorizes the impact of CVE-2024-26673 as 'Misinformed' for the affected Siemens product IDs (CSAFPID-0001, CSAFPID-0003, CSAFPID-0004). The vulnerability description references a Linux kernel netfilter fix for sanitizing protocol numbers in nft_ct custom expectations. Siemens' ProductCERT advisory SSA-613116 provides the authoritative product-specific assessment.
Official resources
-
CVE-2024-26673 CVE record
CVE.org
-
CVE-2024-26673 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12