PatchSiren cyber security CVE debrief
CVE-2024-47740 Siemens CVE debrief
CVE-2024-47740 is a medium-severity vulnerability (CVSS 5.5) in the Linux F2FS filesystem affecting Siemens industrial networking products. The flaw exists in F2FS atomic write ioctls that check inode_owner_or_capable() without requiring FMODE_WRITE, bypassing Linux Security Module (LSM) enforcement. When a caller's FSUID matches the inode's UID, the check returns true immediately, preventing SELinux or Landlock from denying write access. This local attack vector requires low privileges and no user interaction, with high availability impact potential. The vulnerability was published on 2025-08-12 and last modified on 2026-02-25. Siemens has released updates for affected RUGGEDCOM and SCALANCE product families.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices in industrial environments. Security teams responsible for Linux-based industrial control systems using F2FS with SELinux or Landlock mandatory access controls. Asset owners requiring defense-in-depth strategies for OT/ICS networks.
Technical summary
The F2FS filesystem implementation in affected Siemens products contains an authorization bypass in atomic write ioctls. The F2FS_IOC_START_ATOMIC_WRITE and F2FS_IOC_COMMIT_ATOMIC_WRITE ioctls use inode_owner_or_capable() for access control, which returns true when FSUID matches inode UID without consulting LSMs. This prevents mandatory access control systems (SELinux, Landlock) from enforcing write denials. The vulnerability is local, requires low privileges, and can result in denial of service (availability impact). The fix requires FMODE_WRITE checking to ensure proper LSM policy evaluation.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided updates to V3.2 or later for affected RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices per Siemens ProductCERT guidance
- Review SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family configurations and apply vendor-specified mitigations as directed in Section Additional Information of the advisory
- Implement defense-in-depth strategies for industrial control systems including network segmentation and access controls
- Monitor for anomalous local filesystem activity on affected devices that could indicate exploitation attempts
- Validate Linux Security Module (SELinux/Landlock) policies are properly configured on systems where F2FS is utilized
Evidence notes
Vulnerability description and affected products confirmed through CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with availability impact. Remediation guidance specifies V3.2 or later for RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 families.
Official resources
-
CVE-2024-47740 CVE record
CVE.org
-
CVE-2024-47740 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12