PatchSiren cyber security CVE debrief
CVE-2024-38615 Siemens CVE debrief
A vulnerability in the Linux kernel cpufreq subsystem affects Siemens industrial networking products. The issue involves a missing NULL pointer check before calling the optional exit() callback, which can lead to a denial of service condition. The vulnerability has a CVSS 3.1 score of 5.5 (MEDIUM) with local attack vector and high availability impact. Siemens has released updates to address this issue in affected SCALANCE and RUGGEDCOM products.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SCALANCE and RUGGEDCOM industrial networking infrastructure, particularly those in critical infrastructure sectors with OT/ICS environments. System administrators responsible for maintaining SINEC OS-based devices should prioritize patching. Security teams monitoring industrial control systems for kernel-level vulnerabilities affecting availability. Organizations subject to CISA ICS security guidance should review recommended practices for defense-in-depth strategies.
Technical summary
The vulnerability exists in the Linux kernel cpufreq subsystem where the exit() callback is optional but was being called without first validating the function pointer. This can result in a NULL pointer dereference. Additionally, the freq_table pointer must be cleared even when the exit() callback is not present. The issue affects Siemens industrial networking products running SINEC OS versions prior to 3.1, including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family, and RUGGEDCOM RST2428P (6GK6242-6PA00). The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates a local attack vector with low attack complexity, low privileges required, no user interaction, and high impact to availability.
Defensive priority
medium
Recommended defensive actions
- Update affected Siemens SCALANCE and RUGGEDCOM devices to SINEC OS V3.1 or later version per vendor guidance
- Review CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
- Monitor Siemens ProductCERT advisories for additional affected product notifications
- Apply principle of least privilege for local access to affected systems
- Implement network segmentation to limit exposure of industrial control devices
Evidence notes
CVE published 2025-08-12 per CISA CSAF advisory ICSA-25-226-15. Advisory modified 2026-02-25 with republication based on Siemens ProductCERT SSA-613116. CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack with low complexity, low privileges required, no user interaction, and high availability impact.
Official resources
-
CVE-2024-38615 CVE record
CVE.org
-
CVE-2024-38615 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12