PatchSiren cyber security CVE debrief

CVE-2024-56636 Siemens CVE debrief

A vulnerability in the Linux kernel's Generic Network Virtualization Encapsulation (Geneve) implementation affects Siemens industrial networking products. The flaw exists in the `geneve_xmit_skb()` function, which incorrectly assumes the MAC header is set in the output path. This assumption can lead to errors when the MAC header is not properly initialized. The vulnerability stems from using `eth_hdr()` to access the Ethernet header without verifying its presence, rather than the safer `skb_eth_hdr()` function that ensures correct MAC header referencing. The issue has a CVSS 3.1 score of 4.7 (Medium severity), with a local attack vector requiring low privileges but high attack complexity. Successful exploitation could result in high availability impact (denial of service) with no confidentiality or integrity impact. The vulnerability was published on August 12, 2025, and last modified on February 25, 2026, when CISA republished the advisory based on updated Siemens ProductCERT guidance. Siemens has released firmware updates to address this vulnerability in affected industrial Ethernet switch products.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: MEDIUM 4.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P or SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500/XCM-/XRM-/XCH-/XRH-300 family industrial Ethernet switches in critical infrastructure environments, including utilities, manufacturing, transportation, and energy sectors. Security teams responsible for OT/ICS network security and patch management should prioritize assessment and remediation.

Technical summary

The vulnerability exists in the Linux kernel's Geneve (Generic Network Virtualization Encapsulation) driver, specifically in the `geneve_xmit_skb()` transmit function. The code incorrectly assumes that the MAC (Ethernet) header is always set when processing packets in the output path. This unsafe assumption leads to potential errors when accessing the Ethernet header via `eth_hdr()`, which does not validate header presence. The fix replaces `eth_hdr()` with `skb_eth_hdr()`, a safer accessor that properly handles cases where the MAC header may not be initialized. The vulnerability is exploitable locally with low privileges but requires high attack complexity, limiting practical exploitation. Impact is restricted to availability (denial of service) with no confidentiality or integrity consequences. Affected Siemens products include RUGGEDCOM RST2428P industrial Ethernet switches and multiple SCALANCE industrial switch families, all running SINEC OS with vulnerable Linux kernel versions.

Defensive priority

medium

Recommended defensive actions

Apply vendor-provided firmware updates to V3.2 or later for RUGGEDCOM RST2428P and SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices
For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance and update instructions
Implement network segmentation to limit local access to affected industrial control systems
Monitor for anomalous network traffic patterns that could indicate attempted exploitation of Geneve tunneling functions
Apply defense-in-depth strategies per CISA ICS recommended practices for industrial control system security

Evidence notes

Vulnerability description and remediation details sourced from CISA CSAF advisory ICSA-25-226-07, which references Siemens ProductCERT advisory SSA-355557. CVSS vector confirms local attack vector with high attack complexity and availability impact only. Affected products identified through CSAF product tree with high confidence.

Official resources

2025-08-12