PatchSiren cyber security CVE debrief

CVE-2024-42148 Siemens CVE debrief

CVE-2024-42148 describes multiple UBSAN (Undefined Behavior Sanitizer) array-index-out-of-bounds issues in the bnx2x network driver. The vulnerability was published on 2025-08-12 and last modified on 2026-02-25. CISA's advisory ICSA-25-226-07, which was republished on 2026-02-25 based on Siemens ProductCERT advisory SSA-355557, identifies this CVE as affecting Siemens industrial networking products including the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices running SINEC OS. The CVSS score of 5.5 (MEDIUM) reflects the local attack vector and high attack complexity typically associated with kernel driver vulnerabilities requiring privileged access. The bnx2x driver is a Broadcom NetXtreme II network driver for Linux systems; array-index-out-of-bounds conditions in kernel drivers can lead to undefined behavior, potential information disclosure, or denial of service conditions. The UBSAN detection indicates these issues were identified through compiler instrumentation rather than active exploitation in the wild. Organizations should consult vendor guidance for patch availability and apply defense-in-depth strategies for industrial control systems.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens industrial networking equipment with SINEC OS, particularly RUGGEDCOM RST2428P and SCALANCE XC/XR/XCM/XRM/XCH/XRH series devices. Security teams responsible for OT/ICS environments using Broadcom NetXtreme II network adapters in Linux-based industrial systems. Asset owners implementing defense-in-depth strategies for critical infrastructure networks.

Technical summary

The bnx2x driver in the Linux kernel contains multiple array-index-out-of-bounds conditions detectable by UBSAN (Undefined Behavior Sanitizer). These issues affect the driver's handling of network operations and can result in undefined behavior when array boundaries are violated. The vulnerability is classified as MEDIUM severity (CVSS 5.5) with local attack vector and high complexity. Siemens has identified affected products in their SINEC OS-based industrial networking portfolio including RUGGEDCOM RST2428P and multiple SCALANCE families. The CSAF advisory indicates these products incorporate the vulnerable bnx2x driver component. UBSAN-detected issues typically require local privileged access to trigger and may result in information disclosure or denial of service rather than code execution, though undefined behavior in kernel context carries inherent risk.

Defensive priority

medium

Recommended defensive actions

Review Siemens ProductCERT advisory SSA-355557 for detailed affected product configurations and patch availability
Apply vendor-provided firmware updates for SINEC OS when available
Implement network segmentation for industrial control systems per CISA recommended practices
Monitor for anomalous network driver behavior on affected Siemens devices
Follow defense-in-depth strategies for ICS environments as outlined in CISA guidance

Evidence notes

CVE published 2025-08-12 per source metadata. CISA advisory ICSA-25-226-07 republished 2026-02-25 based on Siemens SSA-355557. Affected products identified through CSAF product tree: RUGGEDCOM RST2428P (6GK6242-6PA00), SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family. CVSS 5.5 MEDIUM per source. bnx2x is the Linux kernel driver for Broadcom NetXtreme II 10Gb Ethernet adapters. UBSAN array-index-out-of-bounds indicates undefined behavior detected via compiler sanitizer instrumentation.

Official resources

2025-08-12