PatchSiren cyber security CVE debrief
CVE-2024-49863 Siemens CVE debrief
A null pointer dereference vulnerability exists in the Linux kernel's vhost/scsi subsystem within the vhost_scsi_get_req() function. This flaw, published on 2025-08-12 and last modified on 2026-02-25, affects Siemens industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE X-family switches. The vulnerability stems from improper input validation (CWE-20) in the virtual host SCSI implementation, where a null pointer dereference can occur during request processing. CISA's advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557, documents this issue as part of a broader third-party component security assessment. The advisory has undergone multiple revisions, with the most recent update on 2026-02-25 clarifying affected product configurations and removing several rejected CVEs from the original listing. While specific CVSS scoring is not provided in the source material, null pointer dereference vulnerabilities in kernel subsystems typically carry significant availability impact and potential for privilege escalation in virtualized environments.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P switches or SCALANCE X-family industrial Ethernet switches in critical infrastructure, manufacturing, or utility environments. Virtualization administrators managing KVM-based infrastructure with vhost/scsi configurations should also monitor this vulnerability for potential kernel-level impact.
Technical summary
The vulnerability exists in the vhost_scsi_get_req() function of the Linux kernel's vhost/scsi driver, which provides SCSI device emulation for virtual machines. A null pointer dereference condition can occur during request processing, potentially leading to kernel crashes or denial of service conditions. This affects Siemens industrial networking products that incorporate the vulnerable kernel component within their SINEC OS operating system. The flaw is categorized under CWE-20 (Improper Input Validation) and represents a third-party component vulnerability in Siemens' supply chain.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates for affected Siemens RUGGEDCOM and SCALANCE products when available per Siemens ProductCERT guidance
- Review and implement CISA ICS recommended practices for defense-in-depth strategies in industrial control environments
- Monitor Siemens ProductCERT advisory SSA-355557 for updated affected product lists and patch availability
- Implement network segmentation to limit exposure of affected industrial switches to untrusted networks
- Assess virtualization infrastructure for use of vhost/scsi configurations that may expose this kernel vulnerability
Evidence notes
Source: CISA CSAF advisory ICSA-25-226-07, referencing Siemens ProductCERT SSA-355557. The advisory explicitly lists CVE-2024-49863 with description 'vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()'. CWE-20 (Improper Input Validation) is referenced in the advisory's CWE links. The threat category is marked as 'impact' with 'Misinformed' details for affected product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. Revision history confirms publication date of 2025-08-12 and multiple updates through 2026-02-25, with the latest republication based on Siemens advisory updates.
Official resources
-
CVE-2024-49863 CVE record
CVE.org
-
CVE-2024-49863 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12