PatchSiren cyber security CVE debrief
CVE-2024-36270 Siemens CVE debrief
CVE-2024-36270 is a medium-severity vulnerability (CVSS 5.5) in the Linux kernel's netfilter tproxy subsystem. The flaw occurs when the Transparent Proxy (TPROXY) functionality fails to properly validate whether IP networking has been disabled on a network device before processing packets. This can lead to a general protection fault due to dereferencing a non-canonical address, resulting in a local denial-of-service condition. The vulnerability requires local access with low privileges and no user interaction, making it exploitable by authenticated local attackers. Siemens has identified this vulnerability as affecting multiple industrial networking products running SINEC OS, including RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. The vendor has released firmware updates to address this issue.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking equipment including RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. Critical infrastructure operators in energy, manufacturing, and transportation sectors using SINEC OS-based devices should prioritize patching. Security teams responsible for OT/ICS environments should assess exposure and implement compensating controls where immediate patching is not feasible.
Technical summary
The vulnerability exists in the netfilter tproxy implementation where the code fails to check if IP networking has been disabled on a device before processing transparent proxy operations. When IP is disabled, the socket lookup may reference invalid memory addresses, causing a general protection fault. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector, low attack complexity, low privileges required, no user interaction, and high availability impact with no confidentiality or integrity impact. This is a denial-of-service vulnerability only.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.1 or later for affected Siemens SINEC OS devices
- Verify current firmware version on RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices
- Implement network segmentation to limit local access to industrial control system devices
- Monitor for anomalous local process activity that could indicate exploitation attempts
- Review and apply CISA ICS recommended practices for defense-in-depth strategies
- Note: SCALANCE XCM-/XRM-/XCH-/XRH-300 family products are listed as not affected per vendor threat assessment
Evidence notes
Vulnerability published 2025-08-12 per CISA CSAF advisory ICSA-25-226-15. Modified 2026-02-25 with republication based on Siemens ProductCERT SSA-613116 advisory. CVSS vector confirms local attack vector with low attack complexity and high availability impact.
Official resources
-
CVE-2024-36270 CVE record
CVE.org
-
CVE-2024-36270 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12