PatchSiren cyber security CVE debrief
CVE-2024-46723 Siemens CVE debrief
CVE-2024-46723 describes an out-of-bounds read vulnerability in the Linux kernel's drm/amdgpu driver when accessing the ucode[] array. The vulnerability was published on 2025-08-12 and last modified on 2026-02-25. Siemens ProductCERT issued advisory SSA-355557 addressing this issue, which CISA subsequently republished as ICSA-25-226-07 on 2025-08-12 with updates through 2026-02-25. The advisory covers Siemens industrial networking products including RUGGEDCOM RST2428P and SCALANCE X-family switches running SINEC OS. According to the source advisory, the impact assessment for this vulnerability is categorized as 'Misinformed' for the affected product configurations. No CVSS score or severity rating is available in the source corpus. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens SCALANCE X-family switches (XC-300/XR-300/XC-400/XR-500WG/XR-500, XCM-/XRM-/XCH-/XRH-300 families) or RUGGEDCOM RST2428P industrial Ethernet switches should review this advisory. Industrial control system operators, OT security teams, and network infrastructure administrators responsible for critical manufacturing, energy, transportation, and other ICS environments using affected Siemens networking equipment should prioritize vendor guidance.
Technical summary
CVE-2024-46723 is an out-of-bounds read vulnerability in the Linux kernel's Direct Rendering Manager (DRM) AMDGPU driver. The issue occurs when accessing the ucode[] array, which could lead to reading memory beyond allocated bounds. This kernel-level vulnerability affects Siemens industrial networking products that incorporate the vulnerable kernel component through their SINEC OS operating system. The source advisory characterizes the impact as 'Misinformed' rather than a direct security risk, suggesting the vulnerability may trigger warnings or diagnostic conditions rather than exploitable memory corruption in the affected product configurations.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for detailed product impact and patch availability
- Verify SINEC OS and affected SCALANCE/RUGGEDCOM product firmware versions against vendor guidance
- Apply vendor-provided security updates when available per organizational change management procedures
- Monitor CISA ICS advisories for additional guidance on industrial control system security practices
Evidence notes
Source advisory ICSA-25-226-07 (CISA republishing of Siemens SSA-355557) identifies CVE-2024-46723 with impact marked 'Misinformed' for affected product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. Advisory revision history shows multiple updates through 2026-02-25, including corrections to affected products list and removal of rejected CVEs.
Official resources
-
CVE-2024-46723 CVE record
CVE.org
-
CVE-2024-46723 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12