PatchSiren cyber security CVE debrief
CVE-2024-40990 Siemens CVE debrief
CVE-2024-40990 is a medium-severity integer overflow vulnerability in the Linux kernel's PTP (Precision Time Protocol) subsystem, specifically within the `max_vclocks_store` function. The vulnerability was published on August 12, 2025, and last modified on February 25, 2026. Siemens has identified this CVE as affecting certain industrial networking products running SINEC OS, including the RUGGEDCOM RST2428P and SCALANCE X-family switches. However, per CISA's CSAF advisory ICSA-25-226-07, the impact assessment for these products is marked as 'Misinformed,' indicating that the vulnerability's actual impact on Siemens products may differ from initial assessments or that the products are not practically exploitable in their deployed configurations. The CVSS score of 5.5 reflects a medium severity with local attack vector requirements. Organizations should consult Siemens ProductCERT advisory SSA-355557 for definitive product-specific guidance and patch availability.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 family switches in industrial control system environments; OT security teams managing PTP-enabled networks; infrastructure operators dependent on precise time synchronization for control system operations.
Technical summary
An integer overflow in the Linux kernel's PTP (Precision Time Protocol) `max_vclocks_store` function can lead to undefined behavior when processing user-supplied values. The vulnerability exists in the kernel's PTP clock management code, where insufficient validation of the `max_vclocks` parameter may result in wrap-around conditions. Siemens products utilizing SINEC OS with PTP functionality are identified as affected, though the vendor's impact assessment indicates potential misclassification or limited practical exploitability. The vulnerability requires local access to exploit, consistent with its CVSS 5.5 medium severity rating.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for official product-specific impact assessment and remediation guidance
- Verify SINEC OS version and PTP configuration on affected Siemens RUGGEDCOM and SCALANCE devices
- Apply vendor-provided firmware updates when available per Siemens maintenance schedules
- Monitor CISA ICS advisories for updates to ICSA-25-226-07
- Implement network segmentation for industrial control systems per CISA recommended practices
- Restrict local access to device management interfaces to authorized personnel only
Evidence notes
CVE published 2025-08-12; modified 2026-02-25. CISA CSAF advisory ICSA-25-226-07 tracks this as part of Siemens Third-Party Components in SINEC OS advisory. Siemens ProductCERT SSA-355557 is the canonical vendor advisory. Impact marked 'Misinformed' in CSAF threat data for affected product IDs.
Official resources
-
CVE-2024-40990 CVE record
CVE.org
-
CVE-2024-40990 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
published