PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-53059 Siemens CVE debrief

CVE-2024-53059 is a vulnerability in the Linux kernel's Intel wireless (iwlwifi) driver, specifically in the `iwl_mvm_send_recovery_cmd()` function within the mvm (multi-VM) module. The issue involves two related problems: failure to validate the size of response packets and failure to free the response buffer after use. These defects could potentially lead to memory corruption or resource exhaustion conditions. The vulnerability was resolved by refactoring the code to use `iwl_mvm_send_cmd_status()`, which properly handles both size validation and buffer deallocation. This CVE was published on August 12, 2025, and subsequently modified on February 25, 2026. The vulnerability appears in CISA's ICS advisory ICSA-25-226-07, which addresses Siemens Third-Party Components in SINEC OS. Siemens has assessed the impact as 'Misinformed' for affected product configurations, indicating that the vulnerability's applicability or severity may have been initially mischaracterized. No CVSS score or severity rating is currently available in the source data. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and there is no indication of known ransomware campaign use.

Vendor
Siemens
Product
RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-09
Original CVE updated
2026-05-14
Advisory published
2024-04-09
Advisory updated
2026-05-14

Who should care

Organizations operating Siemens industrial networking infrastructure including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH series devices running SINEC OS; security teams managing Linux-based embedded systems with Intel wireless chipsets; OT/ICS security practitioners tracking third-party component vulnerabilities in industrial equipment; and network administrators responsible for wireless infrastructure in industrial control environments

Technical summary

CVE-2024-53059 affects the Intel wireless (iwlwifi) driver's multi-VM (mvm) module in the Linux kernel. The `iwl_mvm_send_recovery_cmd()` function contained two implementation defects: (1) missing validation of response packet sizes, which could lead to out-of-bounds read conditions or processing of malformed data, and (2) failure to free the response buffer, constituting a memory leak. The resolution involved replacing the vulnerable function call with `iwl_mvm_send_cmd_status()`, which encapsulates proper size validation and automatic buffer deallocation. This vulnerability is relevant to industrial environments where Siemens networking equipment running SINEC OS incorporates the affected Linux kernel components. The 'Misinformed' impact assessment from Siemens suggests that initial vulnerability characterization may not accurately reflect actual risk for specific product configurations, emphasizing the importance of consulting vendor-specific guidance.

Defensive priority

medium

Recommended defensive actions

  • Review Siemens ProductCERT advisory SSA-355557 for authoritative product-specific guidance on affected configurations and patches
  • Verify whether deployed Siemens industrial networking equipment (RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, SCALANCE XCM-/XRM-/XCH-/XRH-300 family) runs SINEC OS versions incorporating thev
  • Apply kernel updates or firmware patches provided by Siemens that include the iwlwifi driver fix for CVE-2024-53059
  • Monitor CISA ICS advisories for updates to ICSA-25-226-07 regarding this vulnerability
  • Implement network segmentation for industrial wireless infrastructure to limit exposure of iwlwifi-dependent systems
  • Follow CISA recommended practices for industrial control systems defense in depth

Evidence notes

The vulnerability description is sourced from the Linux kernel commit message resolving the issue, as reflected in CISA CSAF advisory ICSA-25-226-07. Siemens' ProductCERT advisory SSA-355557 provides the authoritative vendor assessment. The 'Misinformed' impact categorization originates from the CSAF threats section of the source advisory.

Official resources

2025-08-12