PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-42086 Siemens CVE debrief

CVE-2024-42086 describes integer overflow vulnerabilities in the BME680 sensor driver's compensate() functions within the Linux Industrial I/O (IIO) chemical subsystem. The BME680 is a digital environmental sensor measuring temperature, humidity, pressure, and indoor air quality. The compensate() functions perform calibration calculations on raw sensor readings; insufficient bounds checking on these calculations can lead to arithmetic overflows. When exploited, these overflows may cause incorrect sensor readings, unexpected behavior in dependent control systems, or potentially crash the kernel driver. The vulnerability affects Siemens industrial networking products that incorporate the vulnerable Linux kernel component, specifically the RUGGEDCOM RST2428P and certain SCALANCE switch families running SINEC OS. Siemens has assessed the impact as 'Misinformed' in their advisory, indicating that while the vulnerability exists in the underlying component, the specific product configuration may limit exploitability or impact. The CVSS 7.8 HIGH score reflects significant potential for integrity and availability impacts in industrial control environments where sensor data drives automated decisions.

Vendor
Siemens
Product
RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2025-08-12
Original CVE updated
2026-02-25
Advisory published
2025-08-12
Advisory updated
2026-02-25

Who should care

Industrial control system operators, OT security teams, and facility managers deploying Siemens SCALANCE switches or RUGGEDCOM devices with environmental monitoring capabilities. Organizations using BME680 sensors in Linux-based embedded systems for building automation, environmental monitoring, or process control should assess their exposure. Kernel maintainers and embedded Linux distributors should prioritize patching the IIO chemical subsystem.

Technical summary

The BME680 driver in Linux IIO (Industrial I/O) subsystem contains integer overflow vulnerabilities in its temperature, humidity, and pressure compensation functions. These functions apply factory calibration coefficients to raw ADC readings from the Bosch BME680 environmental sensor. The calculations involve multiplication and division operations on 16-bit and 32-bit signed integers without adequate overflow checks. On affected Siemens devices running SINEC OS (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family), this kernel driver component may be exposed to crafted sensor inputs or error conditions that trigger the overflow. Successful exploitation could result in saturated or wrapped sensor values, causing environmental monitoring systems to report incorrect temperature, humidity, pressure, or gas resistance readings. In industrial automation contexts, such corrupted sensor data could propagate to building management systems, process control loops, or safety interlocks. The vulnerability is rated HIGH severity (CVSS 7.8) due to potential impacts on data integrity and system availability in critical infrastructure deployments.

Defensive priority

HIGH

Recommended defensive actions

  • Review Siemens ProductCERT advisory SSA-355557 for detailed product-specific impact assessment and patch availability
  • Verify SINEC OS version on affected SCALANCE and RUGGEDCOM devices and apply vendor-provided updates when available
  • Monitor sensor data validation in control systems relying on BME680 environmental readings for anomalous values that may indicate exploitation attempts
  • Implement network segmentation for industrial control systems to limit exposure of device management interfaces
  • Apply defense-in-depth strategies per CISA ICS recommended practices for industrial control system security

Evidence notes

CVE published 2025-08-12 per CISA CSAF advisory ICSA-25-226-07. Advisory modified 2026-02-25 with republication based on Siemens ProductCERT SSA-355557. Siemens assessed impact as 'Misinformed' for affected products. No KEV listing. No known ransomware campaign use documented.

Official resources

2025-08-12