PatchSiren cyber security CVE debrief
CVE-2024-50121 Siemens CVE debrief
This CVE affects the GNU/Linux subsystem within Siemens SIMATIC S7-1500 TM MFP industrial control systems. The vulnerability resides in the Linux kernel's NFS server (nfsd) implementation, specifically in how `nfsd_shrinker_work` operates in synchronous mode during `nfs4_state_shutdown_net`. When an administrator executes `echo 0 > /proc/fs/nfsd/threads` to shut down NFS server threads, the `nfs4_state_destroy_net` function attempts to release all resources associated with hashed `nfs4_client` structures. The synchronous shrinker work mode creates a problematic condition that can lead to resource management issues during NFS server shutdown operations. The vulnerability is classified as CWE-416 (Use After Free) based on the supplied source references. With a CVSS 3.1 score of 5.5 (MEDIUM severity), the attack vector is local, requiring low attack complexity and low privileges, with no user interaction needed. The impact is limited to high availability impact (no confidentiality or integrity impact). This vulnerability was first published on April 9, 2024, and the advisory has been updated multiple times through September 2025 as additional related CVEs were identified in the same product. No patch is currently available from the vendor.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled; industrial control system administrators responsible for NFS services on embedded Linux environments; security teams managing OT/IT convergence risks in manufacturing and process control environments
Technical summary
The vulnerability exists in the Linux kernel NFS server implementation where `nfsd_shrinker_work` uses synchronous mode during `nfs4_state_shutdown_net`. When NFS server threads are terminated via `/proc/fs/nfsd/threads`, the `nfs4_state_destroy_net` function's resource cleanup for `nfs4_client` structures encounters synchronization issues. This is a local vulnerability requiring low privileges, with exploitation resulting in denial of service (availability impact). The affected component is the GNU/Linux subsystem optional feature of Siemens SIMATIC S7-1500 TM MFP, which provides a secondary runtime environment distinct from the primary PLC functionality.
Defensive priority
medium
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to authorized personnel only
- Implement application whitelisting to ensure only trusted applications execute on the GNU/Linux subsystem
- Monitor for unauthorized attempts to modify NFS server thread counts
- Apply defense-in-depth strategies per ICS-CERT guidance for industrial control systems
- Monitor Siemens security advisories for future patch availability
Evidence notes
Vulnerability description and technical details sourced from CISA CSAF advisory ICSA-24-102-01. CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirmed from source. CWE-416 reference identified in source material. Vendor remediation status of 'no fix available' explicitly stated in source. Multiple advisory revisions tracked from April 2024 through September 2025.
Official resources
-
CVE-2024-50121 CVE record
CVE.org
-
CVE-2024-50121 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09