PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-54021 Siemens CVE debrief

CVE-2024-54021 was published on 2025-02-11 and later republished/updated on 2026-03-12 in CISA's Siemens RUGGEDCOM APE1808 advisory. The source corpus describes an HTTP header CRLF neutralization issue (HTTP response splitting) that could allow unauthorized code or command execution via a crafted HTTP header. The advisory is medium severity (CVSS 6.5) and is network-reachable. The remediation section in the supplied corpus points to a vendor update path, but the corpus also contains a product/vendor text mismatch (Siemens RUGGEDCOM APE1808 advisory text paired with Fortinet/Fortigate remediation language), so defenders should validate the exact affected asset and follow the latest Siemens ProductCERT/CISA guidance before making changes.

Vendor
Siemens
Product
RUGGEDCOM APE1808
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2025-02-11
Original CVE updated
2026-03-12
Advisory published
2025-02-11
Advisory updated
2026-03-12

Who should care

OT/ICS operators and security teams responsible for Siemens RUGGEDCOM APE1808 deployments, especially anyone managing exposed web interfaces or relying on CISA/Siemens ProductCERT advisories for remediation planning.

Technical summary

The advisory describes improper neutralization of CRLF sequences in HTTP headers, consistent with HTTP response splitting (CWE-113). In the supplied description, a crafted HTTP header may be used to trigger unauthorized code or command execution. The issue is network-based, requires no privileges or user interaction per the CVSS vector, and is scored CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. The source corpus does not provide exploit details, and it does not place the vulnerability in KEV.

Defensive priority

Medium priority. The issue is remotely reachable and can affect integrity and availability, but the corpus does not indicate active exploitation or KEV inclusion. Prioritize validation of exposure, vendor guidance, and patch applicability.

Recommended defensive actions

  • Confirm whether Siemens RUGGEDCOM APE1808 is present in your environment and whether any exposed HTTP interfaces are reachable from untrusted networks.
  • Review Siemens ProductCERT advisory SSA-770770 and the CISA advisory ICSA-25-044-06 for the latest remediation guidance.
  • Apply the vendor-provided fix path referenced in the advisory corpus after verifying the exact affected product and version scope.
  • Restrict network access to management and web interfaces, especially from external or less-trusted segments.
  • Monitor for anomalous HTTP header handling, unexpected redirects, or unusual responses on affected devices.
  • Use standard ICS defense-in-depth controls such as segmentation, least privilege, and monitoring as outlined in the CISA recommended practices links.

Evidence notes

Primary evidence comes from the supplied CISA CSAF source item for ICSA-25-044-06, which identifies CVE-2024-54021, lists Siemens as the vendor, and names Siemens RUGGEDCOM APE1808 as the affected product. The source description states an improper neutralization of CRLF sequences in HTTP headers leading to unauthorized code or commands via crafted HTTP header. The corpus also includes Siemens ProductCERT references (SSA-770770 JSON/HTML) and CISA advisory links. The remediation text in the corpus references updating Fortigate NGFW to v7.4.7, which conflicts with the Siemens product naming; this appears to be an internal source inconsistency and should be validated against the official advisory before action. No KEV entry is provided in the supplied data.

Official resources

CISA published the advisory on 2025-02-11 and republished it on 2026-03-12. No KEV listing was provided in the source corpus. The corpus contains a vendor/product wording mismatch, so validate affected versions and remediation directly with