PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-47747 Siemens CVE debrief

A use-after-free vulnerability exists in the Linux kernel's ether3 network driver due to a race condition between timer initialization and device removal. The vulnerability occurs in the ether3_probe function where a timer is initialized with a callback bound to device memory; if the module or device is removed before the timer expires, the ether3_remove cleanup function may free memory that the timer callback (ether3_ledoff) subsequently attempts to access. This affects Siemens industrial networking products running SINEC OS that incorporate the vulnerable kernel component. The vulnerability is rated MEDIUM severity with a CVSS 3.1 score of 5.5, reflecting local attack vector, low attack complexity, and high availability impact. Siemens has released firmware updates to address this issue.

Vendor
Siemens
Product
RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-09
Original CVE updated
2026-05-14
Advisory published
2024-04-09
Advisory updated
2026-05-14

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 industrial Ethernet switches in critical infrastructure environments, particularly those with physical access by multiple users or untrusted administrators.

Technical summary

The vulnerability stems from improper synchronization between kernel timer initialization and device teardown paths in the seeq ether3 Ethernet driver. The timer callback ether3_ledoff is registered during probe with a reference to device-private memory; concurrent removal via ether3_remove can free this memory while the timer remains pending, leading to use-after-free when the callback executes. This is a classic race condition pattern in Linux kernel driver lifecycle management.

Defensive priority

medium

Recommended defensive actions

  • Apply vendor-provided firmware updates: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices to firmware version V3.2 or later. For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices,西门子
  • Apply vendor-provided firmware updates: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices to firmware version V3.2 or later. For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices,西门子
  • Apply vendor-provided firmware updates: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices to firmware version V3.2 or later. For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices,西门子
  • Apply vendor-provided firmware updates: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices to firmware version V3.2 or later. For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices,西门子
  • Apply vendor-provided firmware updates: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices to firmware version V3.2 or later. For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices,西门子
  • Apply vendor-provided firmware updates: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices to firmware version V3.2 or later. For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices,西门子
  • Apply vendor-provided firmware updates: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices to firmware version V3.2 or later. For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices,西门子
  • Apply vendor-provided firmware updates: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices to firmware version V3.2 or later. For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices,西门子

Evidence notes

Vulnerability description and affected product information derived from CISA CSAF advisory ICSA-25-226-07, which republishes Siemens ProductCERT advisory SSA-355557. The advisory was initially published on 2025-08-12 and most recently updated on 2026-02-25 to correct affected product listings and clarify configuration details for the SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family.

Official resources

2025-08-12