PatchSiren cyber security CVE debrief

CVE-2024-40974 Siemens CVE debrief

CVE-2024-40974 describes a stack corruption vulnerability in the Linux kernel's powerpc/pseries subsystem, specifically within the `plpar_hcall9()` function. The flaw occurs when this function stores results past the end of an array, leading to potential runtime stack corruption. This vulnerability affects Siemens industrial networking products that incorporate the vulnerable Linux kernel component, including the RUGGEDCOM RST2428P and SCALANCE X-family switches running SINEC OS. The vulnerability was initially published on August 12, 2025, with subsequent advisory updates through February 25, 2026, to correct affected product listings and clarify configuration details. Notably, the CISA advisory marks the impact assessment as 'Misinformed' for the listed products, indicating potential discrepancies in how this vulnerability applies to the specific Siemens product configurations. Organizations should consult the Siemens ProductCERT advisory for definitive product-specific impact and remediation guidance.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P switches or SCALANCE X-family industrial Ethernet switches (XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 families) running SINEC OS should assess their exposure. System administrators managing industrial control system networks, OT security teams, and infrastructure operators in critical manufacturing, energy, and transportation sectors using these Siemens products should prioritize review of vendor guidance. Given the 'Misinformed' impact designation in the CISA advisory, organizations should rely primarily on Siemens ProductCERT communications for accurate risk assessment rather than assuming direct vulnerability applicability.

Technical summary

The vulnerability exists in the Linux kernel's powerpc/pseries platform code, specifically the `plpar_hcall9()` hypercall function used on IBM Power Systems (pSeries). This function is designed to make hypervisor calls with up to 9 arguments and return results in a caller-provided array. The flaw occurs when the function writes result values beyond the allocated array bounds, causing stack corruption at runtime. This type of memory safety violation can lead to unpredictable behavior, potential denial of service, or in worst cases, code execution. The vulnerability is relevant to Siemens industrial networking equipment that runs on PowerPC architecture and incorporates the affected Linux kernel versions within SINEC OS. The CISA advisory's 'Misinformed' impact classification suggests that the vulnerability's applicability to specific product configurations may require careful verification against Siemens' official guidance.

Defensive priority

medium

Recommended defensive actions

Review Siemens ProductCERT Security Advisory SSA-355557 for definitive product-specific impact assessment and remediation guidance
Verify SINEC OS and firmware versions on affected Siemens RUGGEDCOM and SCALANCE devices
Apply vendor-provided security updates or patches when available per Siemens guidance
Implement network segmentation for industrial control systems to limit exposure of affected devices
Monitor CISA ICS advisories for updates to ICSA-25-226-07

Evidence notes

The vulnerability description indicates stack corruption in powerpc/pseries plpar_hcall9() function. The CISA CSAF source marks impact as 'Misinformed' for affected product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. Advisory revision history shows multiple updates: initial publication (2025-08-12), corrected product lists (2026-02-12), clarified SCALANCE family configurations and removed rejected CVEs (2026-02-24), and final CISA republication based on Siemens SSA-355557 (2026-02-25).

Official resources

2025-08-12