CVE-2024-45490 Siemens CVE debrief

Who should care

Operators and maintainers of Siemens industrial products named in the advisory, especially RUGGEDCOM RST2428P deployments, should care most. Security teams that manage embedded third-party libraries such as libexpat in industrial control environments should also review their exposure.

Technical summary

The issue is in libexpat before 2.6.3: xmlparse.c does not reject a negative length passed to XML_ParseBuffer. Siemens and CISA map the issue to affected product lines in the SSA-613116 / ICSA-25-226-15 advisory set. The advisory includes product-specific remediation and later republication updates, indicating the affected-product list was refined over time.

Defensive priority

High

Recommended defensive actions

• Upgrade affected Siemens products to V3.1 or later, following Siemens ProductCERT guidance.
• Inventory any Siemens devices or embedded applications that bundle libexpat and confirm whether they are in an affected version range.
• Prioritize internet-exposed or operationally critical installations for patching and validation.
• Review the advisory revision history to ensure you are using the latest affected-product and remediation information.
• Use standard ICS defense-in-depth practices to reduce exposure while patching is planned or underway.

Evidence notes

The source advisory was published on 2025-08-12 and later revised, with a final CISA republication update on 2026-02-25 based on Siemens ProductCERT SSA-613116. The advisory explicitly names RUGGEDCOM RST2428P (6GK6242-6PA00) and documents the underlying libexpat issue before 2.6.3. The published CVSS vector is 9.8 and the source bundle includes Siemens advisory links, the CISA ICS advisory, the CVE record, and ICS defensive-practices references.

Official resources