PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-46828 Siemens CVE debrief

CVE-2024-46828 is a vulnerability in the Linux kernel's sch_cake network scheduler, affecting the bulk flow accounting logic used for host fairness in destination/source host fairness mode. The flaw resides in how sch_cake tracks active bulk flows per host, which serves as the round-robin weight when iterating through network flows. Incorrect accounting could lead to improper traffic scheduling, potentially causing denial of service conditions on affected systems. The vulnerability has been assigned a CVSS 3.1 score of 5.5 (MEDIUM severity) with a vector of AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local attack vector, low attack complexity, low privileges required, no user interaction, and high availability impact. Siemens has identified this vulnerability as affecting multiple industrial networking products including RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices running SINEC OS. The vulnerability was published on August 12, 2025, with subsequent modifications to the advisory through February 25, 2026, including corrections to affected product lists and clarifications on affected configurations.

Vendor
Siemens
Product
RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2025-08-12
Original CVE updated
2026-02-25
Advisory published
2025-08-12
Advisory updated
2026-02-25

Who should care

Industrial network administrators, OT security engineers, and infrastructure teams managing Siemens RUGGEDCOM and SCALANCE networking equipment in manufacturing, energy, transportation, and critical infrastructure environments should prioritize assessment and patching. Organizations with Linux-based network appliances or custom traffic shaping implementations using sch_cake should evaluate kernel patch status.

Technical summary

CVE-2024-46828 affects the sch_cake (Common Applications Kept Enhanced) network scheduler in the Linux kernel, specifically the bulk flow accounting logic used when operating in destination or source host fairness mode. The sch_cake scheduler maintains per-host counts of active bulk flows, which determine round-robin weights for flow iteration. A flaw in this accounting mechanism could result in improper traffic scheduling weights, leading to potential denial of service through scheduler manipulation. The vulnerability requires local access with low privileges and has high availability impact. Affected Siemens products incorporate vulnerable Linux kernel versions in their SINEC OS firmware, including RUGGEDCOM RST2428P switches and multiple SCALANCE industrial Ethernet switch families. Remediation involves updating to firmware version 3.2 or later, with specific configuration guidance for certain SCALANCE product families.

Defensive priority

medium

Recommended defensive actions

  • Apply vendor-provided firmware updates to version 3.2 or later for affected RUGGEDCOM and SCALANCE devices as specified in Siemens ProductCERT advisory SSA-355557
  • For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices, consult Section Additional Information in the Siemens advisory for specific configuration guidance
  • Implement network segmentation to limit local access to affected industrial networking devices
  • Monitor for anomalous network traffic patterns that could indicate scheduler manipulation attempts
  • Review and apply CISA ICS recommended practices for defense-in-depth strategies in industrial control environments
  • Establish change control procedures for kernel-level networking configurations on affected devices
  • Prioritize patching based on device exposure to untrusted local users or compromised internal accounts

Evidence notes

The vulnerability description indicates this is a kernel-level issue in the sch_cake traffic scheduler's bulk flow accounting mechanism. The CVSS vector confirms local attack requirements with high availability impact. Siemens ProductCERT advisory SSA-355557 serves as the authoritative source for affected product identification. CISA's ICS advisory ICSA-25-226-07 provides additional context for industrial control system deployments. The advisory revision history shows ongoing refinement of affected product scope, with the February 25, 2026 update representing the most current republication based on Siemens' advisory.

Official resources

2025-08-12