PatchSiren cyber security CVE debrief
CVE-2024-49933 Siemens CVE debrief
CVE-2024-49933 is a medium-severity vulnerability (CVSS 5.5) affecting the blk_iocost component in the Linux kernel, specifically involving out-of-bounds shift operations. The vulnerability was published on August 12, 2025, and last modified on February 25, 2026. Siemens has identified this vulnerability as affecting multiple industrial networking products including the RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family. The vulnerability is classified under CWE-20 (Improper Input Validation). Siemens has provided vendor fixes, with updates to version 3.2 or later recommended for affected products. The CVSS vector indicates a local attack vector with low attack complexity, requiring low privileges and no user interaction, resulting in high availability impact.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P switches, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices, or SCALANCE XCM-/XRM-/XCH-/XRH-300 family industrial Ethernet switches in operational technology environments should prioritize patching. System administrators responsible for industrial control system infrastructure, network security engineers in manufacturing and critical infrastructure sectors, and compliance teams tracking CVE remediation for OT assets should monitor this advisory.
Technical summary
CVE-2024-49933 addresses out-of-bounds shift operations in the blk_iocost (block I/O cost controller) component of the Linux kernel. This vulnerability affects Siemens industrial networking equipment running SINEC OS, specifically the RUGGEDCOM RST2428P and multiple SCALANCE product families. The vulnerability requires local access with low privileges to exploit, and successful exploitation results in high availability impact. The fix involves correcting shift operations that could operate outside valid bounds. Siemens has released version 3.2 or later to address this issue across affected product lines.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided updates to version 3.2 or later for affected Siemens RUGGEDCOM RST2428P and SCALANCE product families
- Review Siemens ProductCERT advisory SSA-355557 for specific configuration guidance regarding SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family products
- Implement defense-in-depth strategies for industrial control systems as recommended by CISA
- Monitor CISA ICS advisories for additional updates to this vulnerability
Evidence notes
The vulnerability description 'blk_iocost: fix more out of bound shifts' indicates this is a kernel-level issue in the block I/O cost controller. The CISA CSAF advisory ICSA-25-226-07, republished on February 25, 2026, incorporates Siemens ProductCERT SSA-355557 advisory updates. The affected products are industrial Ethernet switches and routers used in operational technology environments.
Official resources
-
CVE-2024-49933 CVE record
CVE.org
-
CVE-2024-49933 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12