PatchSiren cyber security CVE debrief
CVE-2024-39482 Siemens CVE debrief
CVE-2024-39482 describes a variable length array abuse vulnerability in the Linux kernel bcache subsystem, specifically within the btree_iter component. The vulnerability was published on 2025-08-12 and last modified on 2026-02-25. Siemens ProductCERT issued advisory SSA-355557 addressing this CVE as part of third-party component security in SINEC OS. CISA subsequently republished this advisory as ICSA-25-226-07 on 2025-08-12, with the most recent republication update occurring on 2026-02-25 based on the Siemens advisory. The vulnerability carries a CVSS score of 5.5 (MEDIUM severity). According to the source advisory, the threat impact is categorized as 'Misinformed' for affected product configurations. The advisory revision history indicates multiple updates, including corrections to affected product listings and clarification of affected configurations for the SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial network infrastructure including SINEC OS, SCALANCE XC/XR/XCM/XRM/XCH/XRH series switches, and RUGGEDCOM RST2428P devices. OT security teams responsible for patch management in manufacturing, energy, and critical infrastructure environments using Siemens networking equipment.
Technical summary
The vulnerability exists in the Linux kernel bcache (block cache) subsystem's btree_iter implementation, where improper use of variable length arrays (VLAs) can lead to security issues. This affects Siemens products running SINEC OS that incorporate the vulnerable kernel component. The specific technical impact is categorized as 'Misinformed' in the source advisory, indicating potential for incorrect state or information disclosure rather than direct code execution. The vulnerability is addressed through Siemens' third-party component update process for affected industrial networking products including RUGGEDCOM RST2428P and SCALANCE family devices.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for detailed product impact and patch availability
- Verify SINEC OS and affected Siemens industrial network device firmware versions against vendor guidance
- Apply vendor-provided security updates for SINEC OS and affected SCALANCE/RUGGEDCOM products when available
- Implement network segmentation for industrial control systems per CISA recommended practices
- Monitor CISA ICS advisories for additional updates to ICSA-25-226-07
Evidence notes
CVE published 2025-08-12 per source metadata. CISA advisory ICSA-25-226-07 published same date. Last modified 2026-02-25 per CISA republication update. Siemens SSA-355557 is the canonical source advisory. Threat impact marked 'Misinformed' in source. Not in KEV catalog.
Official resources
-
CVE-2024-39482 CVE record
CVE.org
-
CVE-2024-39482 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12