PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-49975 Siemens CVE debrief

CVE-2024-49975 is a medium-severity vulnerability in the Linux kernel's uprobes subsystem affecting Siemens industrial network devices running SINEC OS. The flaw exists in the xol_add_vma() function, which maps an uninitialized page allocated by __create_xol_area() into userspace. On x86 architectures, this memory is readable even without VM_READ permission, and setting VM_EXEC produces the same page protection attributes as setting both VM_EXEC and VM_READ. A local attacker with low privileges could exploit this to read uninitialized kernel memory, potentially leading to information disclosure or system instability. The vulnerability was published on August 12, 2025, and affects RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family and XCM-/XRM-/XCH-/XRH-300 family devices. Siemens has released updates to address this issue.

Vendor
Siemens
Product
RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2025-08-12
Original CVE updated
2026-02-25
Advisory published
2025-08-12
Advisory updated
2026-02-25

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500, or SCALANCE XCM-/XRM-/XCH-/XRH-300 industrial network devices in critical infrastructure environments should prioritize this update. System administrators, OT security teams, and network engineers responsible for industrial control system maintenance should assess exposure and apply patches. Organizations subject to NERC CIP, IEC 62443, or similar industrial cybersecurity frameworks should document this vulnerability in their asset inventory and remediation tracking systems.

Technical summary

The vulnerability resides in the Linux kernel's uprobes (user-space probes) implementation. The xol_add_vma() function creates a virtual memory area (VMA) for execute-out-of-line (XOL) operations used during debugging and tracing. This function maps a page allocated by __create_xol_area() that is not properly initialized. On x86 architectures, the page protection attributes allow read access even when VM_READ is not explicitly set, due to the behavior where VM_EXEC alone produces the same pgprot_t as VM_EXEC combined with VM_READ. This architectural quirk enables a debugger or local process to read uninitialized kernel memory contents, violating expected memory isolation boundaries. The CVSS 3.1 score of 5.5 reflects local attack requirements but high availability impact potential.

Defensive priority

medium

Recommended defensive actions

  • Apply vendor-provided updates to V3.2 or later for affected RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices
  • For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance and update instructions
  • Implement defense-in-depth strategies for industrial control systems, including network segmentation and access controls
  • Monitor for anomalous local process behavior that may indicate attempted exploitation of kernel memory disclosure vulnerabilities
  • Review and apply CISA's ICS recommended practices for securing industrial control systems
  • resourceLinkAnnotations: [ref-4, ref-5, ref-6, ref-8]

Evidence notes

The vulnerability description is sourced from CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates local attack vector with low attack complexity, low privileges required, and high availability impact. The affected products are confirmed through CSAF product tree data with high confidence.

Official resources

2025-08-12