CVE-2024-56637 Siemens CVE debrief

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P switches or SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 and XCM-/XRM-/XCH-/XRH-300 family switches in industrial environments. System administrators responsible for OT/ICS network infrastructure security. Security teams managing firmware lifecycle for industrial networking equipment.

Technical summary

The vulnerability exists in the netfilter ipset subsystem of the Linux kernel. A race condition occurs when user space unloads the ip_set.ko module while a set type backend module request is in progress. This timing window can cause a kernel crash due to use-after-free or null pointer dereference conditions. The attack requires local access with low privileges and no user interaction. Affected Siemens products embed vulnerable Linux kernel versions in their SINEC OS firmware.

Defensive priority

medium

Recommended defensive actions

• Update affected Siemens products to SINEC OS V3.2 or later. For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult vendor documentation for specific configuration guidance.
• Apply vendor-provided firmware updates through Siemens Industry Online Support portal.
• Implement network segmentation for industrial control systems to limit local access vectors.
• Follow CISA ICS recommended practices for defense-in-depth strategies.
• Monitor for anomalous kernel module loading/unloading activity on affected systems.

Evidence notes

CVE published 2025-08-12; CISA advisory ICSA-25-226-07 published same date. Siemens ProductCERT advisory SSA-355557 referenced as authoritative source. Advisory modified 2026-02-25 with republication based on updated Siemens guidance. CVSS 3.1 vector confirms local attack vector with low attack complexity.

Official resources