PatchSiren cyber security CVE debrief
CVE-2024-56650 Siemens CVE debrief
CVE-2024-56650 is a HIGH severity vulnerability (CVSS 7.8) in the Linux kernel's netfilter x_tables subsystem, specifically in the `led_tg_check()` function. The vulnerability involves an improper LED ID check that was detected by KASAN (Kernel Address Sanitizer) and reported by Syzbot. This flaw could allow a local attacker with low privileges to achieve high impacts on confidentiality, integrity, and availability. The vulnerability affects Siemens industrial networking products running SINEC OS, including the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. Siemens has released updates to address this issue, with remediation available through firmware updates to version 3.2 or later. The vulnerability was initially published on August 12, 2025, with subsequent advisory updates through February 25, 2026, to clarify affected product configurations and remove rejected CVEs from related advisories.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
Organizations operating Siemens RUGGEDCOM RST2428P, SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, or SCALANCE XCM-/XRM-/XCH-/XRH-300 family industrial networking devices. Critical infrastructure operators, manufacturing facilities, and utility providers using affected Siemens OT/ICS equipment should prioritize patching. Security teams responsible for industrial control system defense and vulnerability management programs.
Technical summary
The vulnerability exists in the `led_tg_check()` function within the Linux kernel's netfilter x_tables subsystem. The function fails to properly validate LED ID values, leading to a memory safety violation detected by KASAN. This improper input validation (CWE-125: Out-of-bounds Read) allows a local attacker with low privileges to potentially escalate privileges and achieve high impact on system confidentiality, integrity, and availability. The vulnerability affects Siemens industrial networking products that incorporate the vulnerable Linux kernel component, specifically those running SINEC OS firmware versions prior to 3.2.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor-provided firmware updates to version 3.2 or later for affected Siemens RUGGEDCOM and SCALANCE products
- Review and implement CISA ICS recommended practices for industrial control system defense in depth
- Monitor Siemens ProductCERT advisories for additional affected product clarifications
- Validate that local access controls limit exposure to this local privilege escalation vulnerability
- Consider network segmentation for affected industrial control devices per CISA guidance
Evidence notes
Vulnerability confirmed through CISA ICS advisory ICSA-25-226-07 and Siemens ProductCERT SSA-355557. The issue was resolved in the Linux kernel netfilter x_tables subsystem. KASAN detection indicates memory safety violation. CVSS vector confirms local attack vector with low attack complexity and low privileges required, but high impacts across all three security dimensions.
Official resources
-
CVE-2024-56650 CVE record
CVE.org
-
CVE-2024-56650 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12