PatchSiren cyber security CVE debrief

CVE-2024-40963 Siemens CVE debrief

CVE-2024-40963 describes a kernel panic condition in the MIPS BMIPS BCM6358 platform where certain devices have their CBR (Configuration Base Register) address set to 0. When the function `arch_sync_dma_for_cpu_all` is called on affected systems, this null CBR address triggers a kernel panic. The vulnerability resides in the Linux kernel's MIPS architecture support code for Broadcom BMIPS processors, specifically the BCM6358 variant. Siemens has identified this CVE as affecting certain industrial networking products running SINEC OS that incorporate vulnerable third-party components. The CISA ICS advisory ICSA-25-226-07, published August 12, 2025 and most recently updated February 25, 2026, tracks this vulnerability alongside other third-party component issues in Siemens products. Notably, the threat assessment in the source advisory categorizes the impact for affected product IDs as 'Misinformed,' suggesting potential clarification or correction in how this vulnerability applies to specific product configurations. The advisory has undergone multiple revisions, with the February 2026 updates correcting affected product listings and clarifying family-specific configurations. Organizations operating affected Siemens industrial networking equipment should consult the vendor's security advisory for patch availability and apply updates according to their maintenance windows.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens industrial networking infrastructure including RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices. System administrators responsible for SINEC OS deployments in manufacturing, energy, transportation, and critical infrastructure sectors. Security teams monitoring industrial control system vulnerabilities and third-party component risks in operational technology environments.

Technical summary

The vulnerability exists in the Linux kernel's MIPS architecture code for Broadcom BMIPS processors. The BCM6358 platform may have a CBR (Configuration Base Register) address of 0 on certain devices. When `arch_sync_dma_for_cpu_all` is invoked, the null pointer dereference or invalid memory access causes a kernel panic. This is a denial-of-service condition affecting system availability. The issue is specific to the DMA synchronization path for CPU cache coherency operations in the BMIPS platform code. Siemens industrial networking products running SINEC OS with affected kernel versions are impacted, though the advisory's 'Misinformed' threat categorization suggests the applicability may vary by specific product configuration.

Defensive priority

medium

Recommended defensive actions

Review Siemens ProductCERT advisory SSA-355557 for detailed product impact assessment and patch availability
Verify SINEC OS version and third-party kernel component versions on affected Siemens networking equipment
Monitor CISA ICS advisory ICSA-25-226-07 for updates to affected product configurations
Apply vendor-provided kernel updates or firmware patches addressing the BMIPS BCM6358 CBR initialization issue
Test patch deployment in non-production environments before applying to operational industrial control systems
Implement network segmentation to limit exposure of affected industrial networking devices
Establish monitoring for unexpected system reboots or kernel panics that may indicate exploitation attempts

Evidence notes

Source advisory ICSA-25-226-07 published 2025-08-12, modified 2026-02-25. Threat category marked 'Misinformed' for product IDs CSAFPID-0006, CSAFPID-0002, CSAFPID-0003. Revision history shows corrections to affected product listings in February 2026 updates.

Official resources

2025-08-12