PatchSiren cyber security CVE debrief

CVE-2024-6232 Siemens CVE debrief

CVE-2024-6232 is a Regular Expression Denial of Service (ReDoS) vulnerability in CPython's tarfile module, affecting Siemens industrial networking products. The vulnerability stems from regular expressions in tarfile.TarFile header parsing that permit excessive backtracking when processing specifically-crafted tar archives. An unauthenticated remote attacker can exploit this flaw to cause high availability impact through CPU exhaustion. The vulnerability carries a CVSS 3.1 score of 7.5 (HIGH severity) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network attack vector, low attack complexity, no privileges required, no user interaction, and high availability impact. Siemens has confirmed affected products include RUGGEDCOM RST2428P and SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family devices. The vendor fix requires updating to SINEC OS V3.1 or later versions. CISA published this advisory on August 12, 2025, with subsequent revisions through February 25, 2026, to correct affected product listings and incorporate updates from Siemens ProductCERT advisory SSA-613116. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no known ransomware campaign use has been documented.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2026-02-25
Advisory published: 2025-08-12
Advisory updated: 2026-02-25

Who should care

Organizations operating Siemens industrial networking infrastructure including SCALANCE and RUGGEDCOM product families, particularly those processing tar archives from external or untrusted sources. Critical infrastructure operators in manufacturing, energy, and transportation sectors utilizing affected devices should prioritize assessment and patching. Security teams responsible for industrial control system (ICS) environments should evaluate exposure and implement recommended mitigations.

Technical summary

The vulnerability exists in CPython's tarfile module where regular expressions used for TarFile header parsing contain patterns susceptible to catastrophic backtracking. When parsing a maliciously crafted tar archive header, the regex engine may enter excessive backtracking states, causing CPU exhaustion and denial of service. The attack requires no authentication and can be conducted remotely. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network accessibility, low complexity, and high availability impact with no confidentiality or integrity effects. Siemens SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family and RUGGEDCOM RST2428P products running affected SINEC OS versions incorporate this vulnerable CPython component.

Defensive priority

HIGH

Recommended defensive actions

Update affected Siemens devices to SINEC OS V3.1 or later version to remediate the tarfile ReDoS vulnerability
Review network segmentation for affected industrial control systems to limit exposure of tarfile processing functions
Monitor for anomalous CPU utilization patterns on devices processing tar archives from untrusted sources
Apply defense-in-depth strategies per CISA ICS recommended practices for industrial control system security
Validate tar archive sources before processing on affected systems where patching is not immediately feasible

Evidence notes

Vulnerability description and CVSS vector sourced from CISA CSAF advisory ICSA-25-226-15. Affected product identification derived from CSAF product tree with high confidence. Vendor remediation guidance specifies SINEC OS V3.1 as minimum fixed version. Timeline reflects CISA publication date and subsequent advisory revisions through February 2026.

Official resources

2025-08-12