Multiple Vulnerabilities in SINEC OS

Low Risk3.1SSA-494539Sep 9, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

SINEC OS in RUGGEDCOM RST2428P devices is affected by multiple vulnerabilities arising from open UDP ports that allow unauthenticated information disclosure and potential temporary denial of service. CWE-400 (uncontrolled resource consumption) and CWE-200 (exposure of sensitive information) are the underlying weaknesses. The vulnerabilities require local network access and do not currently have vendor fixes available, though Siemens is preparing remediation. Recommended countermeasures include network protection mechanisms, operational security hardening per Siemens guidelines, and adherence to product manuals for secure configuration.

What this means

What could happen

An attacker on the local network could access non-sensitive information from the device without authentication, or cause temporary service interruptions affecting network communication for the industrial switch.

Who's at risk

Water authorities, electric utilities, and other critical infrastructure operators using RUGGEDCOM RST2428P industrial managed switches for network connectivity in control system environments should evaluate their exposure to this vulnerability.

How it could be exploited

An attacker with access to the local network segment can send specially crafted UDP packets to open ports on the RUGGEDCOM RST2428P. The device does not require authentication to process these requests, allowing information disclosure or triggering a denial of service condition.

Prerequisites

Network access to the local network segment (Layer 2/3) where the RUGGEDCOM RST2428P is deployed
Ability to send UDP packets to the device's open ports

no authentication requiredlow complexitynetwork access limited to local segmentno patch currently available

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

RUGGEDCOM RST2428P (6GK6242-6PA00)All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation and firewall rules to restrict access to the RUGGEDCOM RST2428P to only authorized management stations and required industrial network segments

WORKAROUNDDisable or restrict UDP services on the device if not required for operations

HARDENINGImplement access control lists (ACLs) at the network edge to limit traffic to the device's open UDP ports

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor vendor advisories for availability of firmware updates and apply when released in a controlled maintenance window

CVEs (2)

CVE-2025-40802 CVE-2025-40803

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ec3785de-aa59-4395-92b4-1b50a34615bd