PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-50268 Siemens CVE debrief

CVE-2024-50268 is a medium-severity out-of-bounds access vulnerability in the Linux kernel's USB Type-C UCSI (USB Type-C Connector System Software Interface) driver, specifically within the `ucsi_ccg_update_set_new_cam_cmd()` function. The vulnerability stems from insufficient bounds checking on the `new_cam` parameter, which is derived from user-controllable input via debugfs. The `*cmd` variable can be manipulated by an attacker with local access, allowing `new_cam` values up to 255 to be passed to an array with only 30 elements (`UCSI_MAX_ALTMODES`). This flaw was published on August 12, 2025, and subsequently incorporated into Siemens ProductCERT advisory SSA-355557, which CISA republished as ICSA-25-226-07 on February 25, 2026. The vulnerability affects Siemens industrial networking products running SINEC OS, including RUGGEDCOM RST2428P switches and multiple SCALANCE product families, where the vulnerable kernel code is present in the underlying operating system. Successful exploitation could result in denial of service conditions due to memory corruption. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects the local attack vector, low attack complexity, and high availability impact, with no confidentiality or integrity impact. Siemens has provided vendor fixes, with updates to version 3.2 or later recommended for affected RUGGEDCOM and SCALANCE products.

Vendor
Siemens
Product
RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2025-08-12
Original CVE updated
2026-02-25
Advisory published
2025-08-12
Advisory updated
2026-02-25

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P switches or SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 family industrial Ethernet switches in critical infrastructure environments, particularly those with local user access requirements or debugfs exposure. Security teams responsible for industrial control system patch management and kernel-level vulnerability remediation should prioritize assessment based on product deployment and access control posture.

Technical summary

The vulnerability exists in the `ucsi_ccg_update_set_new_cam_cmd()` function within the Linux kernel's USB Type-C UCSI driver. The function accepts a `*cmd` parameter that can be controlled by users through debugfs interfaces, specifically via `simple_attr_write_xsigned()`. The `new_cam` field derived from this input is not properly validated against the bounds of the `uc->updated[]` array, which is sized to `UCSI_MAX_ALTMODES` (30 elements). Since `new_cam` can reach values up to 255, an out-of-bounds array access occurs. The call chain propagates from `ucsi_cmd()` through `ucsi_send_command()`, `ucsi_send_command_common()`, `ucsi_run_command()`, and finally `ucsi_ccg_sync_control()`. This vulnerability is present in Siemens industrial networking products that incorporate the affected kernel code within SINEC OS. Exploitation requires local access with low privileges and can result in system instability or denial of service through kernel memory corruption. The vulnerability does not provide confidentiality or integrity impacts but poses availability risks to industrial control system operations.

Defensive priority

medium

Recommended defensive actions

  • Apply vendor-provided firmware updates to version 3.2 or later for affected Siemens RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family products per vendor guidance
  • For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration and patch guidance
  • Restrict local access to debugfs interfaces on affected systems to authorized administrators only
  • Monitor for anomalous system behavior or crashes indicative of memory corruption in USB Type-C subsystems
  • Implement defense-in-depth strategies for industrial control systems per CISA recommended practices

Evidence notes

Vulnerability description and affected product information derived from CISA CSAF advisory ICSA-25-226-07, which republishes Siemens ProductCERT SSA-355557. CVSS vector and score confirmed through source references. Remediation guidance extracted from CSAF remediations section.

Official resources

2025-08-12