PatchSiren cyber security CVE debrief
CVE-2024-49985 Siemens CVE debrief
CVE-2024-49985 is a medium-severity (CVSS 5.5) deadlock vulnerability in the STM32F7 I2C driver affecting Siemens industrial networking products. The flaw occurs when a clock controller attached to the I2C bus controller—such as a Versaclock or AIC32x4 I2C codec—triggers an I2C transfer from within the clock controller's clk_ops .prepare callback. This sequence can cause a deadlock on the drivers/clk/clk.c prepare_lock mutex, resulting in denial of service through system hang or crash. The vulnerability was published on August 12, 2025, and last modified on February 25, 2026. Siemens has issued patches: RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family should update to V3.2 or later; SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family has vendor fix guidance available. No known exploitation or ransomware campaign use has been reported.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Industrial control system operators, OT security teams, and network administrators managing Siemens RUGGEDCOM RST2428P switches or SCALANCE XC/XR/XCM/XRM/XCH/XRH-300 family industrial Ethernet switches. Organizations with STM32F7-based embedded systems using external clock controllers on I2C buses should also assess exposure. Priority should be given to critical infrastructure deployments where device availability is essential.
Technical summary
The STM32F7 I2C driver contains a deadlock vulnerability arising from improper locking interaction between I2C bus operations and clock controller callbacks. When a clock controller's .prepare callback initiates an I2C transfer, the resulting nested lock acquisition on prepare_lock in drivers/clk/clk.c can deadlock the system. This is a classic lock ordering violation where the I2C transfer path attempts to acquire a lock already held by the clock controller path. The vulnerability is exploitable locally with low privileges and requires no user interaction, making it particularly relevant for multi-user or containerized industrial environments where untrusted code may execute. The high availability impact (system hang/crash) with no confidentiality or integrity impact aligns with typical deadlock vulnerability characteristics.
Defensive priority
medium
Recommended defensive actions
- Apply vendor patches: Update RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family to V3.2 or later
- Follow Siemens guidance for SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family remediation
- Review I2C clock controller configurations for potential deadlock conditions
- Implement defense-in-depth strategies for industrial control systems per CISA guidance
- Monitor for system hangs or crashes indicative of mutex deadlock conditions
Evidence notes
Vulnerability description and affected products confirmed through CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with low attack complexity, low privileges required, no user interaction, and high availability impact.
Official resources
-
CVE-2024-49985 CVE record
CVE.org
-
CVE-2024-49985 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12