PatchSiren cyber security CVE debrief
CVE-2024-35996 Siemens CVE debrief
CVE-2024-35996 addresses a Linux kernel issue where CPU mitigations were not enabled by default on non-x86 architectures, potentially leaving systems vulnerable to speculative execution attacks. The vulnerability stems from the kernel's CPU mitigation framework defaulting to disabled states on architectures other than x86, contrary to security best practices. Siemens has identified this as affecting SINEC OS, which powers industrial networking equipment including the RUGGEDCOM RST2428P and SCALANCE X-family switches. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a local attack vector with low complexity, requiring low privileges and no user interaction, resulting in high availability impact but no confidentiality or integrity impact. This suggests the vulnerability could allow a local attacker to cause denial-of-service conditions on affected industrial control systems. The advisory was initially published by CISA on August 12, 2025, with subsequent revisions through February 2026 to correct affected product listings and remove rejected CVEs. Siemens has provided a vendor fix requiring update to SINEC OS V3.1 or later.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment with SINEC OS, particularly those deploying RUGGEDCOM and SCALANCE products in critical infrastructure environments. Security teams responsible for OT/ICS asset management and patch deployment should prioritize verification of SINEC OS versions and mitigation status.
Technical summary
The Linux kernel's CPU mitigation framework historically defaulted to disabled on non-x86 architectures, requiring explicit enablement. CVE-2024-35996 corrects this by re-enabling CPU mitigations by default for !X86 architectures. In Siemens SINEC OS deployments, this vulnerability affects industrial networking equipment including RUGGEDCOM RST2428P and SCALANCE X-family switches (XC-300/XR-300/XC-400/XR-500WG/XR-500, XCM-/XRM-/XCH-/XRH-300 families). The local attack vector with high availability impact suggests potential for denial-of-service through exploitation of unmitigated speculative execution vulnerabilities on affected ARM or other non-x86 platforms.
Defensive priority
medium
Recommended defensive actions
- Update affected Siemens SINEC OS devices to version 3.1 or later to obtain the vendor fix for CVE-2024-35996
- Verify CPU mitigation status on non-x86 architecture systems running SINEC OS prior to V3.1
- Review local access controls on affected industrial networking equipment to limit potential exploitation
- Monitor Siemens ProductCERT advisory SSA-613116 for additional product-specific guidance
- Apply defense-in-depth strategies per CISA ICS recommended practices for industrial control systems
Evidence notes
CVE description and CVSS vector from CISA CSAF advisory ICSA-25-226-15. Affected products and remediation details from Siemens ProductCERT SSA-613116 as republished by CISA. Timeline derived from advisory revision history showing initial publication 2025-08-12 and final republication 2026-02-25.
Official resources
-
CVE-2024-35996 CVE record
CVE.org
-
CVE-2024-35996 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12