Back to Feed
VulnerabilitiesJul 7, 2026

Siemens SINEC OS

Siemens SINEC OS RUGGEDCOM RST2428P affected by multiple Linux kernel vulnerabilities.

Summary

Siemens SINEC OS, specifically the RUGGEDCOM RST2428P product, is affected by numerous vulnerabilities within the Linux kernel. These vulnerabilities span various categories including memory corruption, race conditions, improper input validation, and denial of service. Siemens recommends updating to SINEC OS V4.0 or later to address these issues.

Full text

ICS Advisory Siemens SINEC OS Release DateJuly 07, 2026 Alert CodeICSA-26-188-05 Related topics: Industrial Control System Vulnerabilities , Industrial Control Systems View CSAF Summary SINEC OS before V4.0 contains multiple vulnerabilities. Siemens has released a new version for RUGGEDCOM RST2428P and recommends to update to the latest version. The following versions of Siemens SINEC OS are affected: RUGGEDCOM RST2428P (6GK6242-6PA00) vers:intdot/<4.0 CVSS Vendor Equipment Vulnerabilities v3 9.8 Siemens Siemens SINEC OS Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Resource Shutdown or Release, Integer Overflow or Wraparound, Stack-based Buffer Overflow, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Uncontrolled Recursion, Out-of-bounds Read, Covert Timing Channel, Improper Input Validation, Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), Improper Update of Reference Count, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'), Multiple Releases of Same Resource or Handle, Permissive Regular Expression, Expired Pointer Dereference, Incorrect Bitwise Shift of Integer, Out-of-bounds Write, User Interface (UI) Misrepresentation of Critical Information, Improper Access Control, Insertion of Sensitive Information Into Sent Data, Inefficient Algorithmic Complexity, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Authentication Bypass by Primary Weakness, NULL Pointer Dereference, Active Debug Code, Loop with Unreachable Exit Condition ('Infinite Loop'), Missing Synchronization, External Control of File Name or Path, Privilege Dropping / Lowering Errors, Use of Web Browser Cache Containing Sensitive Information Background Critical Infrastructure Sectors: Critical Manufacturing, Transportation Systems, Energy, Healthcare and Public Health, Financial Services, Government Services and Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-1352 A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue. View CVE Details Affected Products Siemens SINEC OS Vendor:Siemens Product Version:RUGGEDCOM RST2428P (6GK6242-6PA00) Product Status:known_affected Remediations Vendor fixUpdate to V4.0 or later versionhttps://support.industry.siemens.com/cs/ww/en/view/110002573/ Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Metrics CVSS Version Base Score Base Severity Vector String 3.1 5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2025-1376 A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue. View CVE Details Affected Products Siemens SINEC OS Vendor:Siemens Product Version:RUGGEDCOM RST2428P (6GK6242-6PA00) Product Status:known_affected Remediations Vendor fixUpdate to V4.0 or later versionhttps://support.industry.siemens.com/cs/ww/en/view/110002573/ Relevant CWE: CWE-404 Improper Resource Shutdown or Release Metrics CVSS Version Base Score Base Severity Vector String 3.1 2.5 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2025-6052 A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption. View CVE Details Affected Products Siemens SINEC OS Vendor:Siemens Product Version:RUGGEDCOM RST2428P (6GK6242-6PA00) Product Status:known_affected Remediations Vendor fixUpdate to V4.0 or later versionhttps://support.industry.siemens.com/cs/ww/en/view/110002573/ Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-6141 A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. View CVE Details Affected Products Siemens SINEC OS Vendor:Siemens Product Version:RUGGEDCOM RST2428P (6GK6242-6PA00) Product Status:known_affected Remediations Vendor fixUpdate to V4.0 or later versionhttps://support.industry.siemens.com/cs/ww/en/view/110002573/ Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2025-6170 A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections. View CVE Details Affected Products Siemens SINEC OS Vendor:Siemens Product Version:RUGGEDCOM RST2428P (6GK6242-6PA00) Product Status:known_affected Remediations Vendor fixUpdate to V4.0 or later versionhttps://support.industry.siemens.com/cs/ww/en/view/110002573/ Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 2.5 LOW CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-7039 A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations. View CVE Details Affected Products Siemens SINEC OS Vendor:Siemens Product Version:RUGGEDCOM RST2428P (6GK6242-6PA00) Product Status:known_affected Remediations Vendor fixUpdate to V4.0 or later versionhttps://support.industry.siemens.com/cs/ww/en/view/110002573/ Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metrics CVSS Version Base Score Base Severity Vector String 3.1 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2025-8732 A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code

Entities

SINEC OS (product)RUGGEDCOM RST2428P (product)Siemens (vendor)