PatchSiren cyber security CVE debrief
CVE-2024-42236 Siemens CVE debrief
CVE-2024-42236 describes an out-of-bounds (OOB) read/write vulnerability in the Linux kernel's USB gadget configfs subsystem, specifically within the `usb_string_copy()` function. The vulnerability was published on 2025-08-12 and last modified on 2026-02-25. Siemens ProductCERT issued advisory SSA-355557 addressing this CVE, which CISA subsequently republished as ICSA-25-226-07 on 2025-08-12 with updates through February 2026. The advisory covers multiple Siemens industrial networking products including the RUGGEDCOM RST2428P and SCALANCE X-family switches running SINEC OS. According to the source advisory's threat data, the impact assessment for affected products was marked as 'Misinformed,' indicating potential information integrity concerns. The CVSS v3.1 score of 5.5 (MEDIUM) reflects the vulnerability's attack vector and impact characteristics. Organizations should consult the Siemens ProductCERT advisory for specific patch availability and configuration guidance for affected SCALANCE and RUGGEDCOM devices.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens SCALANCE X-family industrial Ethernet switches (XC-300/XR-300/XC-400/XR-500WG/XR-500, XCM-/XRM-/XCH-/XRH-300 families) or RUGGEDCOM RST2428P devices in critical infrastructure, manufacturing, or utility environments. Security teams responsible for OT/ICS asset management and patch coordination should prioritize this advisory. System integrators deploying SINEC OS-based infrastructure should verify configuration hardening and update status.
Technical summary
The vulnerability exists in the `usb_string_copy()` function within the Linux kernel's USB gadget configfs implementation. This function handles string copying operations for USB gadget configuration, and improper bounds checking enables out-of-bounds memory access. The flaw can result in both information disclosure (OOB read) and memory corruption (OOB write) when processing USB gadget configuration strings. In the context of affected Siemens industrial networking equipment running SINEC OS, exploitation would require local access or administrative configuration privileges to manipulate USB gadget settings through the configfs interface. The MEDIUM CVSS score reflects the need for privileges and the limited scope of impact, though industrial deployments with exposed management interfaces may face elevated risk.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for affected product configurations and patch status
- Verify SINEC OS versions on SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family and XCM-/XRM-/XCH-/XRH-300 family devices
- Assess RUGGEDCOM RST2428P deployments for exposure to USB gadget functionality
- Apply vendor-provided firmware updates when available per Siemens security advisory
- Implement network segmentation for industrial control systems per CISA recommended practices
- Monitor CISA ICS advisories for additional updates to ICSA-25-226-07
Evidence notes
Vulnerability description sourced from CISA CSAF advisory ICSA-25-226-07, which republishes Siemens ProductCERT SSA-355557. Impact assessment 'Misinformed' derived from advisory threats category. Product scope includes RUGGEDCOM RST2428P (6GK6242-6PA00) and SCALANCE X-family switches per CSAF product tree. Advisory revision history shows multiple updates through 2026-02-25 clarifying affected product configurations and removing rejected CVEs.
Official resources
-
CVE-2024-42236 CVE record
CVE.org
-
CVE-2024-42236 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12