CVE-2024-49930 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial networking equipment with Wi-Fi capabilities, particularly in critical infrastructure and OT environments. Security teams responsible for patch management of Linux-based industrial devices. Network administrators managing RUGGEDCOM and SCALANCE wireless infrastructure. ICS/SCADA security practitioners monitoring for kernel-level vulnerabilities in embedded industrial systems.

Technical summary

CVE-2024-49930 is an out-of-bounds array access vulnerability in the Linux kernel's ath11k Wi-Fi driver. The ath11k_soc_dp_stats structure contains a hal_reo_error array sized to DP_REO_DST_RING_MAX elements. However, the ath11k_dp_process_rx() function incorrectly indexes this array using the REO destination SRNG (Source Ring) ring ID rather than the normal ring ID. Since SRNG ring IDs have different value ranges than normal ring IDs, this indexing error can result in out-of-bounds memory access during receive packet processing. The vulnerability affects Qualcomm Atheros 802.11ax Wi-Fi chipsets supported by the ath11k driver. Siemens industrial networking products incorporating this driver component are affected, including RUGGEDCOM RST2428P and select SCALANCE product families. The vulnerability is exploitable by an attacker with the ability to send crafted Wi-Fi traffic that triggers the vulnerable receive processing path. Successful exploitation could lead to memory corruption, denial of service, or potentially information disclosure depending on the memory layout and system configuration.

Defensive priority

medium

Recommended defensive actions

• Review Siemens ProductCERT advisory SSA-355557 for specific product impact and patch availability
• Verify if affected Siemens products have Wi-Fi functionality enabled and in use
• Apply kernel updates or vendor-provided firmware patches that include the ath11k driver fix
• Monitor network traffic for anomalous Wi-Fi activity that could indicate exploitation attempts
• Implement network segmentation to limit exposure of industrial Wi-Fi infrastructure
• Follow CISA ICS recommended practices for defense-in-depth security controls

Evidence notes

The vulnerability description is derived from the CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The technical details indicate this is a Linux kernel ath11k driver issue where the ath11k_dp_process_rx() function incorrectly uses SRNG ring ID for array indexing. The source advisory indicates this CVE was initially included in the affected products list but subsequent revisions have adjusted product categorization. The February 25, 2026 revision represents the latest CISA republication based on updated Siemens guidance.

Official resources