PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-56720 Siemens CVE debrief

CVE-2024-56720 is a MEDIUM-severity vulnerability (CVSS 5.5) affecting Siemens industrial networking products running SINEC OS. The vulnerability resides in the Linux kernel's BPF (Berkeley Packet Filter) sockmap subsystem, specifically in the bpf_msg_pop_data function. Multiple implementation flaws in sk_msg_shift_left can lead to memory management errors, including improper page reference handling and iterator state corruption that may trigger a kernel BUG. The affected products include RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH family industrial Ethernet switches. Siemens has released updates to address this vulnerability, with remediation requiring upgrade to SINEC OS V3.2 or later for most affected products. The vulnerability requires local access with low privileges to exploit, with no confidentiality or integrity impact but high availability impact potential.

Vendor
Siemens
Product
RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2025-08-12
Original CVE updated
2026-02-25
Advisory published
2025-08-12
Advisory updated
2026-02-25

Who should care

Organizations operating Siemens industrial Ethernet infrastructure including RUGGEDCOM RST2428P switches and SCALANCE XC/XR/XCM/XRM/XCH/XRH family devices in manufacturing, energy, transportation, and critical infrastructure sectors. Security teams managing OT/ICS environments with SINEC OS deployments. Network administrators responsible for patch management of industrial switches. Compliance officers tracking CVE remediation for NERC CIP, IEC 62443, or similar industrial cybersecurity frameworks.

Technical summary

CVE-2024-56720 encompasses five distinct flaws in the Linux kernel's BPF sockmap implementation within bpf_msg_pop_data and sk_msg_shift_left functions: (1) missing put_page call causing memory reference leak, (2) missing early return for zero-length operations, (3) failure to support full message pop operations, (4) incorrect variable 'a' value calculation, and (5) improper iterator advancement causing potential BUG trigger. The vulnerability is exposed through SINEC OS, Siemens' network operating system based on embedded Linux, deployed on RUGGEDCOM RST2428P and SCALANCE industrial Ethernet switch families. CVSS 3.1 vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high availability impact. Exploitation could cause kernel panic or denial of service on affected industrial network infrastructure.

Defensive priority

medium

Recommended defensive actions

  • Update affected Siemens industrial switches to SINEC OS V3.2 or later version to remediate the BPF sockmap vulnerability
  • For SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family, consult Siemens ProductCERT advisory SSA-355557 for specific configuration guidance and patch availability
  • Apply defense-in-depth practices for industrial control systems per CISA recommendations, including network segmentation and restricted physical access to devices
  • Monitor for anomalous local activity on affected devices, as exploitation requires local access with low privileges
  • Review and implement Siemens security advisories for SINEC OS deployments to ensure comprehensive coverage of third-party component vulnerabilities

Evidence notes

CVE published 2025-08-12 per CISA CSAF advisory ICSA-25-226-07. Modified 2026-02-25. Advisory republished by CISA based on Siemens ProductCERT SSA-355557. Multiple revision history entries confirm timeline: initial publication 2025-08-12, corrections 2026-02-12, clarification 2026-02-24, republication 2026-02-25.

Official resources

2025-08-12