OTPulse

Siemens SINEC OS

Act NowCVSS 10ICS-CERT ICSA-26-043-06Jan 28, 2026
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SINEC OS before V3.3 contains multiple third-party component vulnerabilities affecting industrial network switches including RUGGEDCOM RST2428P and SCALANCE XC/XR/XCH/XCM/XRH/XRM series. These devices are critical backbone infrastructure in Siemens industrial networks, providing network connectivity for SCADA, process control, and safety systems. The vulnerabilities include buffer overflows, memory corruption, use-after-free issues, and input validation failures that could allow unauthenticated remote code execution.

What this means
What could happen
An attacker on the network can execute arbitrary commands on these switches without authentication, potentially gaining control of your industrial network backbone. This could disrupt communications to PLCs, RTUs, and safety systems, causing process shutdowns or enabling lateral movement to critical control systems.
Who's at risk
Water authorities and electric utilities using Siemens SCALANCE or RUGGEDCOM network switches as backbone infrastructure for SCADA, RTU, PLC, and safety system communications. Any facility relying on these switches to connect process control devices is at risk.
How it could be exploited
An attacker with network access to the switch management interface or data port sends specially crafted packets that trigger buffer overflows or memory corruption flaws in the SINEC OS firmware. No authentication is required. Successful exploitation allows the attacker to run arbitrary commands with system privileges on the switch, enabling them to intercept, modify, or block network traffic between control devices.
Prerequisites
  • Network access to the affected switch (management port or data network)
  • No credentials required
  • Affected SINEC OS version below 3.3
remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (54%)affects network backbone for safety-critical systems
Exploitability
Actively exploited — confirmed by CISA KEV
Metasploit module available — weaponized exploitView module ↗
Public Proof-of-Concept (PoC) on GitHub (10 repositories)
Affected products (16)
16 with fix
ProductAffected VersionsFix Status
RUGGEDCOM RST2428P (6GK6242-6PA00)< 3.33.3
SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family< 3.33.3
SCALANCE XCH328< 3.33.3
SCALANCE XCM324< 3.33.3
SCALANCE XCM328< 3.33.3
Remediation & Mitigation
0/4
Do now
0/3
HOTFIXUpdate RUGGEDCOM RST2428P and all SCALANCE switches to SINEC OS firmware version 3.3 or later
WORKAROUNDRestrict network access to switch management interfaces (typically ports 22, 80, 443) using firewall rules to only authorized engineering workstations
WORKAROUNDIf immediate patching is not possible, disable remote management and perform all configuration changes via console cable from local access only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGSegment industrial network switches onto a protected VLAN with restricted access from IT networks and untrusted sources
View full CISA ICS-CERT advisory
API: /api/v1/advisories/7d1fadf8-c1bb-42f7-8161-91f245c0e934

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.