PatchSiren cyber security CVE debrief

CVE-2024-56704 Siemens CVE debrief

CVE-2024-56704 describes a double-free condition in the 9p/xen subsystem where IRQ (Interrupt Request) resources were being freed twice, as indicated by kernel log messages. The vulnerability was published on August 12, 2025, and last modified on February 25, 2026. The issue affects Siemens industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. However, CISA's advisory marks the impact assessment as 'Misinformed,' suggesting the initial severity or impact characterization may have been incorrect. The advisory underwent multiple revisions, with the most significant update on February 25, 2026, when CISA republished based on Siemens ProductCERT's SSA-355557 advisory. No CVSS score or severity rating is currently assigned. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and there is no indication of known ransomware campaign use.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: Unknown
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens RUGGEDCOM RST2428P or SCALANCE XC/XR-series industrial Ethernet switches with SINEC OS should monitor this advisory. System administrators responsible for virtualized industrial environments using Xen paravirtualization should be aware of potential kernel stability issues. Security teams in critical infrastructure sectors (energy, manufacturing, transportation) using affected Siemens networking equipment should track vendor patches. The 'Misinformed' impact rating suggests lower immediate priority, but verification against actual deployment configurations remains prudent.

Technical summary

CVE-2024-56704 is a kernel-level vulnerability in the 9p/xen subsystem related to improper IRQ (Interrupt Request) resource management. The issue manifests as a double-free condition, where an IRQ is freed twice, generating corresponding kernel log messages. The vulnerability affects Siemens industrial networking equipment running SINEC OS. The 9p/xen subsystem is part of the Linux kernel's support for the 9P protocol over Xen virtualization, commonly used in paravirtualized environments. A double-free in IRQ handling could potentially lead to system instability, denial of service, or in some cases, privilege escalation, though the specific impact depends on the exact code path and kernel configuration. The CISA advisory's 'Misinformed' impact classification suggests that initial assessments of severity or exploitability may have been overstated or incorrect.

Defensive priority

medium

Recommended defensive actions

Review Siemens ProductCERT advisory SSA-355557 for authoritative product-specific guidance
Verify SINEC OS version and apply vendor-recommended patches when available
Monitor kernel logs for IRQ-related error messages on affected systems
Implement network segmentation for industrial control systems per CISA recommended practices
Subscribe to Siemens ProductCERT security advisories for updates on this vulnerability

Evidence notes

The source CISA CSAF advisory (ICSA-25-226-07) explicitly marks the threat impact as 'Misinformed' for affected product IDs CSAFPID-0006, CSAFPID-0002, and CSAFPID-0003. The advisory revision history shows four updates, with the February 25, 2026 republication specifically noting alignment with Siemens ProductCERT SSA-355557. The CVE description references kernel-level IRQ handling in the 9p/xen virtualization subsystem, indicating a low-level operating system vulnerability rather than an application-layer issue.

Official resources

2025-08-12