PatchSiren cyber security CVE debrief

CVE-2024-46721 Siemens CVE debrief

A NULL pointer dereference vulnerability exists in the Linux kernel's AppArmor security module, specifically within profile replacement operations. The flaw occurs when `profile->parent->dents[AAFS_PROF_DIR]` is NULL, which can happen when a parent profile is created via `__create_missing_ancestors()` and `ent->old` is NULL in `aa_replace_profiles()`. In this scenario, the code fails to properly return an error code, potentially leading to a system crash or denial of service condition. The vulnerability is rated MEDIUM severity with a CVSS 3.1 score of 5.5, indicating local attack vector with low attack complexity and privileges required, but high availability impact. Siemens has identified this vulnerability as affecting multiple industrial networking products running SINEC OS, including RUGGEDCOM RST2428P and SCALANCE switch families. The vulnerability was initially published on August 12, 2025, with subsequent advisory updates through February 25, 2026, including corrections to affected product lists and removal of rejected CVEs.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens industrial networking infrastructure including RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 families. System administrators responsible for industrial control system security, OT security teams, and infrastructure operators in critical manufacturing, energy, and transportation sectors where these devices are deployed.

Technical summary

The vulnerability exists in the AppArmor profile replacement code path. When `aa_replace_profiles()` processes a profile whose parent was created by `__create_missing_ancestors()` and the `ent->old` field is NULL, the code fails to check whether `profile->parent->dents[AAFS_PROF_DIR]` is valid before dereferencing it. The proper fix requires returning `-ENOENT` to indicate the parent path does not exist. This is a local vulnerability requiring low privileges but can cause high availability impact through system crash. The affected code is in the Linux kernel's security/apparmor/ directory. Siemens products incorporate this vulnerable kernel component through their SINEC OS operating system.

Defensive priority

medium

Recommended defensive actions

Apply vendor-provided firmware updates to version 3.2 or later for affected RUGGEDCOM and SCALANCE products as specified in Siemens security advisory SSA-355557
For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family products, consult vendor documentation for specific configuration guidance
Implement network segmentation for industrial control systems to limit local access vectors
Follow CISA ICS recommended practices for defense-in-depth strategies
Monitor vendor security advisories for additional product-specific guidance

Evidence notes

The vulnerability description is derived from the CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C indicates local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, high availability impact, unproven exploit maturity, official fix remediation level, and confirmed report confidence. The advisory revision history shows four updates: initial publication (2025-08-12), correction of affected products (2026-02-12), clarification of SCALANCE family configurations and removal of rejected CVEs (2026-02-24), and republication based on Siemens SSA-355557 (2026-02-25).

Official resources

2025-08-12