PatchSiren cyber security CVE debrief
CVE-2024-44989 Siemens CVE debrief
A null pointer dereference vulnerability exists in the Linux kernel's bonding driver, specifically within the xfrm (IPsec transform) subsystem. The flaw occurs when the `real_dev` pointer is accessed without proper validation, leading to a potential system crash. This vulnerability affects Siemens industrial networking products that incorporate the vulnerable Linux kernel component, including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH family devices. The issue has been resolved in the upstream Linux kernel, and Siemens has provided vendor fixes. For RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices, updating to version 3.2 or later is recommended. The SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family also requires updates per vendor guidance.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens industrial networking infrastructure, particularly in critical infrastructure and manufacturing environments using RUGGEDCOM RST2428P or SCALANCE XC/XR/XCM/XRM/XCH/XRH series switches. System administrators responsible for maintaining availability of industrial control system networks should prioritize patching. Security teams monitoring OT/ICS environments for kernel-level vulnerabilities affecting network stack components.
Technical summary
The vulnerability resides in the Linux kernel's bonding network driver when handling IPsec transforms (xfrm). A null pointer dereference occurs when accessing the `real_dev` member without proper validation, potentially causing a kernel panic and system crash. The flaw is classified as CWE-476 (NULL Pointer Dereference) with a CVSS 3.1 score of 5.5 (MEDIUM). The attack requires local access with low privileges but results in high availability impact. Affected products include Siemens RUGGEDCOM RST2428P switches and multiple SCALANCE industrial Ethernet switch families that incorporate the vulnerable kernel code.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to affected Siemens industrial networking equipment. For RUGGEDCOM RST2428P (6GK6242-6PA00) and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices, update to version 3.2 or later. For S
- CALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices, follow Siemens guidance for configuration updates and version upgrades.
- Implement network segmentation for industrial control systems to limit exposure of affected devices.
- Monitor for anomalous system crashes or unexpected reboots on affected devices that could indicate exploitation attempts.
- Review and apply CISA ICS recommended practices for defense-in-depth strategies.
Evidence notes
Vulnerability description sourced from CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The CVE was published on 2025-08-12 and last modified on 2026-02-25. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a local attack vector with low attack complexity, requiring low privileges, resulting in high availability impact. The CWE-476 classification (NULL Pointer Dereference) is referenced in source materials.
Official resources
-
CVE-2024-44989 CVE record
CVE.org
-
CVE-2024-44989 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
public