PatchSiren cyber security CVE debrief
CVE-2024-34397 Siemens CVE debrief
CVE-2024-34397 is a medium-severity vulnerability (CVSS 5.2) in GNOME GLib affecting versions before 2.78.5 and 2.79.x/2.80.x before 2.80.1. The flaw allows local attackers on shared computers to spoof D-Bus signals that GDBus-based clients will incorrectly attribute to trusted system services like NetworkManager. This signal spoofing can cause affected clients to behave incorrectly with application-dependent consequences. The vulnerability was published on June 10, 2025, and last modified on May 14, 2026. Siemens has confirmed that multiple SIMATIC S7-1500 CPU 1518-4 PN/DP MFP products are affected, including variants 6ES7518-4AX00-1AB0, 6ES7518-4AX00-1AC0, 6ES7518-4FX00-1AB0, 6ES7518-4FX00-1AC0, and the SIPLUS variant 6AG1518-4AX00-4AC0. No patch is currently available from Siemens.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP controllers in multi-user or shared environments should prioritize access controls. Industrial control system operators using affected PLCs with interactive GNU/Linux subsystems are at risk of local privilege abuse and potential manipulation of D-Bus-dependent applications. Security teams in manufacturing, energy, and critical infrastructure sectors should assess exposure and implement compensating controls until patches become available.
Technical summary
The vulnerability exists in GNOME GLib's GDBus implementation, which fails to properly validate the source of D-Bus signals. When a client subscribes to signals from a trusted system service, GLib does not adequately verify that subsequent signals originate from that same trusted service. This allows other users on the same shared computer to inject spoofed signals that the client will process as authentic. The attack requires local physical access (AV:P) but can be executed with low complexity and no privileges. The primary impact is integrity compromise (I:H) with limited availability impact (A:L). Siemens has identified affected products in their SIMATIC S7-1500 CPU 1518-4 PN/DP MFP family, which incorporates the vulnerable GLib components in their GNU/Linux subsystem.
Defensive priority
medium
Recommended defensive actions
- Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources
- Monitor for updates from Siemens ProductCERT regarding patch availability
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
Evidence notes
The vulnerability description and affected product information are derived from CISA CSAF advisory ICSA-25-162-05, which republishes Siemens ProductCERT advisory SSA-082556. The CVSS vector AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L indicates physical attack vector with high integrity impact and low availability impact.
Official resources
-
CVE-2024-34397 CVE record
CVE.org
-
CVE-2024-34397 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
published