PatchSiren cyber security CVE debrief
CVE-2024-43907 Siemens CVE debrief
CVE-2024-43907 describes a null pointer dereference in the `apply_state_adjust_rules` function within the `drm/amdgpu/pm` kernel driver. The vulnerability was originally published on 2025-08-12 and last modified on 2026-02-25. According to the CISA CSAF advisory ICSA-25-226-07, Siemens has assessed this CVE as **Misinformed** for the affected product lines, indicating that the vulnerability does not actually affect the listed Siemens industrial networking products despite initial inclusion in third-party component tracking. The advisory underwent multiple revisions, with the most significant update on 2026-02-25 clarifying affected configurations and removing numerous rejected CVEs from the advisory scope. No CVSS score or severity rating is available for this entry.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM and SCALANCE industrial networking infrastructure should review this advisory to confirm that CVE-2024-43907 does not require remediation action on their deployed equipment. Security teams tracking third-party component vulnerabilities in ICS environments should note the misinformed classification and update risk registers accordingly. Asset owners should prioritize verified vulnerabilities over initially reported third-party component issues pending vendor confirmation.
Technical summary
CVE-2024-43907 is a null pointer dereference vulnerability in the Linux kernel's AMDGPU power management driver (`drm/amdgpu/pm`), specifically in the `apply_state_adjust_rules` function. The vulnerability was tracked in CISA advisory ICSA-25-226-07 as part of third-party component security monitoring for Siemens industrial networking products. Following vendor analysis, Siemens ProductCERT determined this CVE to be **Misinformed** for the affected product lines, indicating the vulnerability is not applicable to the actual product firmware/software implementation. The advisory scope included RUGGEDCOM RST2428P switches and multiple SCALANCE industrial Ethernet switch families, but these products do not incorporate the vulnerable Linux kernel driver component in a way that exposes them to this issue.
Defensive priority
low
Recommended defensive actions
- Verify that affected Siemens product lines (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family) are running current firmware versions as recommended in vendor
- Review Siemens ProductCERT advisory SSA-355557 for definitive product security status and any subsequent clarifications
- Document this CVE as non-exploitable for listed Siemens products based on vendor misinformed assessment
- Maintain standard ICS security hygiene including network segmentation and access controls per CISA recommended practices
Evidence notes
The CISA CSAF advisory ICSA-25-226-07 explicitly categorizes the impact of CVE-2024-43907 as 'Misinformed' for product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. The advisory's revision history shows this CVE remained under review through multiple updates, with the final 2026-02-25 republication based on Siemens ProductCERT SSA-355557 advisory confirming the misinformed status. The vulnerability description references a Linux kernel AMDGPU power management driver issue, which appears unrelated to the actual firmware/software stack of the listed Siemens industrial Ethernet switches.
Official resources
-
CVE-2024-43907 CVE record
CVE.org
-
CVE-2024-43907 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12