PatchSiren cyber security CVE debrief
CVE-2024-8006 Siemens CVE debrief
CVE-2024-8006 is a denial-of-service vulnerability in libpcap’s remote packet capture support. The affected function, pcap_findalldevs_ex(), is only available when libpcap is built with remote packet capture enabled, which Siemens notes is disabled by default. In the vulnerable path, a failed opendir() result is not checked before the code passes NULL to readdir(), leading to a NULL pointer dereference and process crash. Siemens and CISA associate the issue with affected Siemens industrial networking products running SINEC OS firmware, and the remediation is to update to the fixed vendor release.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
Industrial control system operators, Siemens SINEC OS firmware maintainers, and defenders responsible for SCALANCE/RUGGEDCOM network appliances or any deployment that custom-builds libpcap with remote packet capture support enabled.
Technical summary
The flaw is a NULL pointer dereference in libpcap’s remote packet capture device enumeration path. It requires remote capture support to be enabled at build time and a filesystem path argument that cannot be opened as a directory, causing opendir() to return NULL. The code then calls readdir() without validating the return value. CISA’s CVSS vector (AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) reflects that exploitation is local and requires high privileges, with availability impact only. The source advisory also indicates the issue is tied to SINEC OS firmware in Siemens products.
Defensive priority
Medium. The vulnerability is not enabled by default and requires elevated local access, but it can still cause a service crash in operational technology environments. Patch planning should prioritize any affected Siemens firmware deployments that use the vulnerable libpcap configuration.
Recommended defensive actions
- Update affected Siemens products to V3.3 or later, following the Siemens ProductCERT advisory and the CISA republished guidance.
- Verify whether your build or firmware configuration enables libpcap remote packet capture support; if not, document that exposure is reduced but still track the vendor fix.
- Inventory Siemens devices named in the advisory and confirm firmware versions against the vendor’s affected-product list before scheduling maintenance.
- Apply standard ICS hardening and least-privilege practices to reduce the chance that local high-privilege code paths can be reached.
- Monitor affected appliances for unexpected crashes or restarts in packet-capture-related components until updates are deployed.
Evidence notes
The debrief is based on the supplied CISA CSAF advisory for ICSA-26-043-06 / CVE-2024-8006, Siemens advisory references, and the CVSS vector included in the source. The source explicitly says remote packet capture support is disabled by default, that pcap_findalldevs_ex() becomes available only when enabled, and that the crash occurs when NULL from opendir() is passed to readdir(). The advisory metadata also includes a vendor fix of V3.3 or later. Timing context uses the provided CVE publishedAt 2026-01-28 and modifiedAt 2026-02-25; the CVE identifier itself predates publication.
Official resources
-
CVE-2024-8006 CVE record
CVE.org
-
CVE-2024-8006 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the vendor and CISA advisory stream on 2026-01-28, with a later CISA republication update on 2026-02-25. Use the supplied publishedAt and modifiedAt dates for chronology; the CVE identifier itself is CVE-2024-8006.