CVE-2024-43098 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking infrastructure, particularly those deploying RUGGEDCOM RST2428P switches or SCALANCE XC/XR/XCM/XRM/XCH/XRH series managed switches in critical infrastructure, manufacturing, or process control environments. Security teams responsible for OT/ICS asset management and patch coordination should prioritize this update.

Technical summary

The vulnerability exists in the Linux kernel's I3C subsystem where `i3c_master_register()` acquires `i3cbus->lock` twice, creating a potential deadlock condition. The fix involves using `i3cdev->desc->info` directly instead of calling `i3c_device_get_info()` to avoid the recursive lock acquisition. This is a local attack vector requiring low privileges with no user interaction, resulting in high availability impact.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided updates to version 3.2 or later for affected Siemens RUGGEDCOM RST2428P and SCALANCE product families
• Review Siemens ProductCERT advisory SSA-355557 for specific configuration guidance on SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family deployments
• Follow CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
• Monitor for additional vendor communications regarding patch availability and deployment guidance
• Assess network segmentation to limit exposure of affected industrial networking equipment

Evidence notes

CVE published 2025-08-12; CISA ICS advisory ICSA-25-226-07; Siemens ProductCERT SSA-355557; advisory modified 2026-02-25 with product list corrections and CVE removals.

Official resources