CVE-2024-49882 Siemens CVE debrief

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 industrial networking equipment. OT security teams, infrastructure operators in critical manufacturing, energy, and transportation sectors, and patch management teams responsible for industrial control system maintenance.

Technical summary

The vulnerability exists in the ext4 filesystem's extent handling code. In ext4_ext_try_to_merge_up(), after path[1].p_bh is released via brelse(), the pointer is not subsequently set to NULL. This can lead to a double-free scenario if the same path structure is processed again, as the stale pointer may be passed to brelse() a second time. The vulnerability is classified as CWE-20 (Improper Input Validation) and has a CVSS 3.1 score of 5.5 (MEDIUM). Attack vector is local (AV:L) with low attack complexity (AC:L) and low privileges required (PR:L), resulting in high availability impact (A:H) with no confidentiality or integrity impact.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-provided updates to V3.2 or later version for affected Siemens RUGGEDCOM and SCALANCE products per vendor guidance
• Review Siemens ProductCERT advisory SSA-355557 for specific product configuration guidance
• Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
• Monitor for additional vendor communications regarding affected product configurations
• Validate patch deployment through standard change management procedures for OT environments

Evidence notes

Vulnerability description and affected products confirmed through CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with high availability impact. Remediation guidance specifies vendor fixes available through Siemens support portal.

Official resources