PatchSiren cyber security CVE debrief
CVE-2024-46738 Siemens CVE debrief
A use-after-free vulnerability exists in the VMCI (Virtual Machine Communication Interface) subsystem, specifically within the vmci_resource_remove() function. This flaw can be triggered when removing a resource, potentially allowing a local attacker with low privileges to execute arbitrary code, escalate privileges, or cause a denial of service. The vulnerability affects Siemens industrial networking products running SINEC OS, including RUGGEDCOM RST2428P switches and multiple SCALANCE product families. The CVSS v3.1 score of 7.8 (HIGH) reflects significant impacts to confidentiality, integrity, and availability, though exploitation requires local access and low privileges. Siemens has released updates to address this vulnerability, with V3.2 or later versions containing the fix.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking infrastructure, particularly those deploying RUGGEDCOM RST2428P switches or SCALANCE product families in critical infrastructure environments. Security teams responsible for OT/ICS asset management and patch deployment should prioritize this vulnerability due to its HIGH severity rating and potential for privilege escalation.
Technical summary
The vulnerability resides in the vmci_resource_remove() function of the VMCI kernel module. A use-after-free condition occurs during resource removal operations, where a pointer to freed memory may be subsequently dereferenced. This memory safety defect can lead to arbitrary code execution in kernel context. The attack surface is limited to local attackers with authenticated low-privilege access. The vulnerability affects SINEC OS-based products including RUGGEDCOM RST2428P (6GK6242-6PA00), SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family. Remediation requires updating to firmware version V3.2 or later.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-provided updates to V3.2 or later for affected RUGGEDCOM and SCALANCE products per Siemens ProductCERT guidance
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance
- Implement network segmentation to limit local access to affected industrial control systems
- Monitor for anomalous process behavior or unexpected system crashes that may indicate exploitation attempts
- Apply principle of least privilege to limit local user accounts on affected systems
- Review and apply CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
The vulnerability description is sourced from CISA ICS Advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C) confirms local attack vector with low attack complexity and low privileges required. The use-after-free condition in vmci_resource_remove() indicates a memory management defect in the VMCI kernel module.
Official resources
-
CVE-2024-46738 CVE record
CVE.org
-
CVE-2024-46738 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12