PatchSiren cyber security CVE debrief

CVE-2024-56567 Siemens CVE debrief

CVE-2024-56567 is a division-by-zero vulnerability in the Linux kernel's AD7780 analog-to-digital converter driver. The flaw exists in the `ad7780_write_raw()` function where the `val2` parameter can be zero, leading to a division-by-zero error when passed to `DIV_ROUND_CLOSEST()`. While `val` is explicitly documented as potentially zero (for read mode), `val2` lacks such specification, creating an unhandled edge case. This vulnerability affects Siemens industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and multiple SCALANCE switch families. The CVSS 3.1 score of 5.5 (MEDIUM) reflects local attack vector, low attack complexity, and low privileges required, with high availability impact but no confidentiality or integrity impact. The vulnerability was published on August 12, 2025, with the advisory last modified on February 25, 2026, when CISA republished updates based on Siemens ProductCERT advisory SSA-355557. Siemens has provided vendor fixes, with updates to V3.2 or later versions recommended for affected products.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens industrial networking infrastructure including RUGGEDCOM RST2428P switches and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 families. System integrators and OT security teams responsible for patch management in industrial control environments. Linux kernel maintainers and embedded systems developers working with industrial I/O drivers, particularly those implementing ADC interfaces.

Technical summary

The vulnerability resides in the `ad7780_write_raw()` function of the Linux kernel's AD7780 industrial I/O driver. This function implements the `write_raw` callback from `struct iio_info` for the Analog Devices AD7780 ADC. The function uses `DIV_ROUND_CLOSEST()` with `val2` as a divisor without validating that `val2` is non-zero. Unlike `val`, which is explicitly documented as potentially zero for read mode operations, `val2` has no such specification, allowing a zero value to trigger a division-by-zero fault. This represents a classic input validation deficiency in kernel driver code. The vulnerability is exploitable locally with low privileges and can cause denial of service (high availability impact) through kernel panic or driver malfunction. The attack surface is limited to local access due to the nature of industrial I/O driver interfaces.

Defensive priority

medium

Recommended defensive actions

Apply vendor-provided updates to V3.2 or later for affected Siemens RUGGEDCOM and SCALANCE products per Siemens ProductCERT guidance
Review SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family configurations for additional hardening requirements as specified in vendor documentation
Monitor industrial control systems for anomalous behavior that may indicate exploitation attempts against kernel drivers
Implement defense-in-depth strategies for industrial control systems as recommended by CISA
Establish patch management procedures for third-party Linux kernel components in embedded industrial devices

Evidence notes

Vulnerability description derived from CISA CSAF advisory ICSA-25-226-07 and Siemens ProductCERT SSA-355557. Affected products confirmed through CSAF product tree: RUGGEDCOM RST2428P (6GK6242-6PA00), SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, and SCALANCE XCM-/XRM-/XCH-/XRH-300 family. CVSS vector confirmed as CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C. Remediation guidance specifies update to V3.2 or later for RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family; additional information provided for SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family configuration.

Official resources

2025-08-12