PatchSiren cyber security CVE debrief
CVE-2024-49944 Siemens CVE debrief
A NULL pointer dereference vulnerability exists in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. When sctp_listen_start() is invoked by sctp_inet_listen(), a failure in sctp_autobind() leaves the socket state incorrectly set to LISTENING rather than CLOSED. On subsequent calls to sctp_inet_listen(), if SCTP_REUSE_PORT has been configured via setsockopt, the code dereferences sctp_sk(sk)->bind_hash while assuming sk_state is LISTENING, but bind_hash remains NULL from the failed autobind, causing a kernel crash. This vulnerability affects Siemens industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 families. The vulnerability was published on August 12, 2025, with the advisory last modified on February 25, 2026. Siemens has released firmware updates to address this issue.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 industrial Ethernet switches in critical infrastructure environments, including utilities, transportation, and manufacturing sectors where network availability is essential.
Technical summary
The vulnerability stems from improper state management in the SCTP protocol stack. When sctp_autobind() fails during sctp_listen_start(), the socket's sk_state is not reset to CLOSED, remaining as LISTENING. On a subsequent sctp_inet_listen() call with SCTP_REUSE_PORT enabled, the kernel assumes bind_hash is valid due to the LISTENING state, but the pointer is NULL, causing a NULL pointer dereference and system crash. This is a local vulnerability requiring low privileges but resulting in high availability impact.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided firmware updates: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices to firmware version V3.2 or later
- For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices, consult Siemens ProductCERT advisory SSA-355557 for specific update guidance
- Implement network segmentation to limit exposure of affected industrial control systems
- Monitor for anomalous SCTP traffic patterns that could indicate exploitation attempts
- Apply defense-in-depth strategies per CISA ICS recommended practices
- Review and restrict local access to affected devices to authorized personnel only
Evidence notes
The vulnerability description is sourced from CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The affected products are explicitly listed in the CSAF product tree with high confidence. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with low attack complexity, requiring low privileges and resulting in high availability impact.
Official resources
-
CVE-2024-49944 CVE record
CVE.org
-
CVE-2024-49944 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12