PatchSiren cyber security CVE debrief
CVE-2024-53060 Siemens CVE debrief
CVE-2024-53060 describes a NULL pointer dereference vulnerability in the Linux kernel's drm/amdgpu driver. The issue occurs when acpi_evaluate_object() returns AE_NOT_FOUND, which could lead to a NULL pointer dereference if not properly handled. The vulnerability is mitigated by bailing out when this status is encountered. This CVE was published on 2025-08-12 and last modified on 2026-02-25. The vulnerability originates from the Linux kernel's AMDGPU DRM driver and affects Siemens industrial networking products that incorporate the vulnerable component. According to CISA ICS Advisory ICSA-25-226-07, the impact assessment for this CVE is marked as 'Misinformed' for affected Siemens products including RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. The advisory was republished by CISA on 2026-02-25 based on Siemens ProductCERT SSA-355557 advisory updates. No CVSS score or severity rating is currently available in the source data.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, or SCALANCE XCM-/XRM-/XCH-/XRH-300 family industrial networking equipment should monitor this advisory. System administrators responsible for industrial control system (ICS) security and network infrastructure in manufacturing, energy, and critical infrastructure sectors should review the Siemens ProductCERT guidance to determine actual product impact and patch availability.
Technical summary
CVE-2024-53060 is a NULL pointer dereference vulnerability in the Linux kernel's Direct Rendering Manager (DRM) AMDGPU driver. The vulnerability manifests when the acpi_evaluate_object() function returns AE_NOT_FOUND, which was not previously handled correctly, potentially leading to a NULL pointer dereference. The fix implements proper status checking to bail out when AE_NOT_FOUND is encountered. This kernel-level vulnerability affects Siemens industrial networking products that incorporate the Linux kernel with the vulnerable AMDGPU driver code. The CISA ICS advisory marks the impact as 'Misinformed' for affected products, suggesting the vulnerability may not be exploitable in the specific Siemens product context or requires specific conditions not present in typical deployments.
Defensive priority
medium
Recommended defensive actions
- Review Siemens ProductCERT advisory SSA-355557 for detailed product impact assessment and patch availability
- Verify affected product configurations per CISA ICS Advisory ICSA-25-226-07 revision history
- Apply kernel updates from Siemens when available for affected RUGGEDCOM and SCALANCE devices
- Monitor CISA ICS advisories for updates to this vulnerability
- Implement network segmentation for industrial control systems per CISA recommended practices
Evidence notes
Source: CISA ICS Advisory ICSA-25-226-07 (CSAF format). Impact category marked as 'Misinformed' in threat data. CVE originates from Linux kernel drm/amdgpu driver NULL pointer dereference when acpi_evaluate_object() returns AE_NOT_FOUND. Advisory republished 2026-02-25 based on Siemens ProductCERT SSA-355557 update.
Official resources
-
CVE-2024-53060 CVE record
CVE.org
-
CVE-2024-53060 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12