PatchSiren cyber security CVE debrief
CVE-2024-49858 Siemens CVE debrief
A vulnerability in the Linux kernel's EFI stub TPM event log handling could allow local attackers to cause kernel crashes on affected Siemens industrial networking devices. The issue stems from improper memory reservation for the TPM event log table during kexec operations, potentially leading to memory corruption and denial of service.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 industrial networking devices in critical infrastructure environments. Security teams managing OT/ICS networks where kexec-based kernel updates or high-availability configurations are deployed. System administrators responsible for firmware maintenance and TPM-enabled secure boot implementations in industrial automation environments.
Technical summary
The vulnerability exists in the Linux kernel's EFI stub implementation where the TPM event log table is allocated using EFI_LOADER_DATA memory type rather than ACPI reclaim memory. This causes the region to remain unreserved in the E820 memory map passed to kexec-loaded kernels. When kexec transfers control to a new kernel, the incoming kernel lacks awareness that this memory region should be reserved, permitting potential corruption of the TPM2 event log data. While the practical utility of the TPM2 event log after kexec is limited, corruption of this data structure can cause the kernel's parsing code to access invalid memory regions, resulting in kernel crashes and system instability. The attack requires local access with low privileges and no user interaction, making it primarily relevant in multi-user or compromised scenarios on affected industrial devices running vulnerable SINEC OS versions.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates to V3.2 or later for affected RUGGEDCOM and SCALANCE product families
- Review kexec configurations on affected devices and consider disabling if TPM event log integrity is critical
- Monitor for unexpected kernel crashes or system instability that may indicate exploitation attempts
- Implement defense-in-depth strategies per CISA ICS recommended practices for industrial control systems
- Verify memory reservation configurations in EFI boot environments where kexec is utilized
Evidence notes
The vulnerability was disclosed in CISA advisory ICSA-25-226-07 on 2025-08-12, with subsequent modifications through 2026-02-25. Siemens ProductCERT published SSA-355557 to address this and related third-party component vulnerabilities in SINEC OS. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms local attack vector with low complexity and high availability impact.
Official resources
-
CVE-2024-49858 CVE record
CVE.org
-
CVE-2024-49858 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12