PatchSiren cyber security CVE debrief
CVE-2024-46782 Siemens CVE debrief
A use-after-free vulnerability exists in the Linux kernel's Identifier Locator Addressing (ILA) subsystem, specifically in the `ila_nf_input` function. The flaw occurs when `nf_unregister_net_hooks()` is called, leading to a use-after-free read condition. This vulnerability affects Siemens industrial networking products running SINEC OS, including the RUGGEDCOM RST2428P and SCALANCE switch families. The issue was disclosed in CISA advisory ICSA-25-226-07, which was republished on February 25, 2026, based on Siemens ProductCERT advisory SSA-355557. The vulnerability has a CVSS 3.1 score of 5.5 (MEDIUM severity) with a local attack vector, low attack complexity, and low privileges required. Successful exploitation results in high availability impact (denial of service) with no confidentiality or integrity impact. Siemens has provided vendor fixes: affected products should be updated to version 3.2 or later.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens industrial networking infrastructure, particularly those deploying RUGGEDCOM RST2428P switches or SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 family switches in industrial control system environments. Critical infrastructure operators, manufacturing facilities, and utility providers utilizing these devices for operational technology networks should prioritize assessment and patching.
Technical summary
The vulnerability exists in the Linux kernel's Identifier Locator Addressing (ILA) subsystem, a network namespace-aware IPv6 address mapping mechanism. The flaw is triggered when `nf_unregister_net_hooks()` is called during netfilter hook unregistration, resulting in a use-after-free read in `ila_nf_input`. This is a local vulnerability requiring low privileges with low attack complexity. The affected code path involves improper synchronization between netfilter hook teardown and ongoing packet processing in the ILA input path. Exploitation leads to denial of service through system instability or crash. The vulnerability is present in Siemens industrial networking products that incorporate the vulnerable Linux kernel components within SINEC OS.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to version 3.2 or later for affected Siemens RUGGEDCOM RST2428P and SCALANCE switch families
- Review network segmentation for industrial control systems to limit exposure of affected devices
- Monitor for anomalous network behavior or unexpected device reboots that may indicate exploitation attempts
- Consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance regarding SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices
- Follow CISA ICS recommended practices for defense-in-depth strategies for industrial control systems
Evidence notes
Vulnerability description and affected products confirmed through CISA CSAF advisory ICSA-25-226-07. CVSS vector and remediation details sourced from Siemens ProductCERT advisory SSA-355557 as referenced in CISA republication dated 2026-02-25.
Official resources
-
CVE-2024-46782 CVE record
CVE.org
-
CVE-2024-46782 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12