PatchSiren cyber security CVE debrief
CVE-2024-6874 Siemens CVE debrief
CVE-2024-6874 describes an out-of-bounds stack read in libcurl’s URL API when punycode conversion is performed with the macidn IDN backend and the input is exactly 256 bytes. In Siemens’ advisory coverage, the issue is tied to affected Siemens networking products running impacted SINEC OS firmware. The practical security concern is unintended disclosure of stack contents through a returned string, not code execution. Siemens’ remediation is to update to V3.3 or later for affected products.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- LOW 3.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2026-02-25
- Advisory published
- 2025-08-12
- Advisory updated
- 2026-02-25
Who should care
OT/ICS operators, Siemens network device administrators, vulnerability management teams, and anyone running the affected Siemens products or firmware that embed the impacted libcurl configuration.
Technical summary
The underlying flaw is a stack-based read caused by libcurl’s curl_url_get() punycode conversion path when built with the macidn IDN backend. For an input name exactly 256 bytes long, the conversion routine can fill the caller’s buffer without null-terminating it, allowing adjacent stack data to be read back as part of the output string. The Siemens/CISA advisory identifies affected Siemens products and directs operators to update to V3.3 or later, with later advisory revisions clarifying the impacted scope and that only SINEC OS firmware is affected.
Defensive priority
Low overall severity, but prioritize remediation if the affected Siemens firmware is present in production, exposed management networks, or environments where information disclosure from device memory would be sensitive.
Recommended defensive actions
- Confirm whether any Siemens products in your environment match the advisory’s affected product list and firmware scope.
- Review the advisory revision history to account for the later clarification that only SINEC OS firmware is impacted.
- Apply Siemens’ fixed release: update to V3.3 or later for affected products.
- Inventory where libcurl is used in embedded or appliance firmware and verify whether the macidn IDN backend is present.
- Limit exposure of management interfaces and follow ICS defense-in-depth practices while patching.
Evidence notes
Supported by the Siemens/CISA CSAF advisory for CVE-2024-6874 and its revision history. The advisory text states that curl_url_get() punycode conversion can read outside a stack buffer when built with the macidn backend, and that a 256-byte input can result in a non-null-terminated string that may return stack contents. The CSAF remediation entries specify updating to V3.3 or later for affected product IDs, and the revision history records later updates that added more product families and clarified the affected firmware scope. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, matching the low severity. No KEV listing is indicated in the supplied data.
Official resources
-
CVE-2024-6874 CVE record
CVE.org
-
CVE-2024-6874 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed via CISA ICS Advisory ICSA-26-043-06, which republishes Siemens ProductCERT advisory SSA-089022. The supplied timeline places initial publication on 2026-01-28 and the latest update on 2026-02-25.