Executive Summary

CVE-2025-49794 aggregates multiple memory safety defects in Siemens SINEC OS before V4.0, including improper restriction of operations within a memory buffer, improper resource shutdown or release, and an integer overflow condition, any of which can be triggered against the RUGGEDCOM RST2428P managed switch. Because this hardware sits at the substation and hardened field layer moving protection and telemetry traffic, a successful attack can crash or corrupt the device that carries GOOSE, SV, and SCADA polling, taking down the communication path for physical protection schemes.

Technical Exposure Breakdown

The vulnerable component is the SINEC OS firmware running on the RUGGEDCOM RST2428P, part number 6GK6242-6PA00, at any version below V4.0. The CVSS 9.1 rating reflects a network attack vector with no privilege requirement and no user interaction. The underlying weakness classes are the ones that matter most in embedded network stacks.

The attack conditions are permissive. Any host with network reachability to the switch management or protocol plane can send crafted traffic. There is no requirement for valid credentials. In a flat or poorly segmented substation LAN, a compromised engineering workstation or an exposed management VLAN is enough to reach these devices at scale.

OT Impact and Compliance Risk

This is a network fabric device, not an endpoint. When the switch drops or reboots, everything downstream loses its path. Protection relays exchanging IEC 61850 GOOSE messages depend on sub millisecond delivery, and a switch that crashes under CVE-2025-49794 breaks the interlock and trip coordination those messages carry. The physical failure mode is loss of visibility and loss of protective control, not merely a data outage.

For NERC CIP registered entities, a RUGGEDCOM RST2428P inside an Electronic Security Perimeter is a BES Cyber Asset or associated EACMS, and this vulnerability drives obligations under CIP-007 patch management evaluation and CIP-010 configuration change management. Under IEC 62443, this is a Security Level target failure at the zone conduit boundary, since the device that enforces the conduit is itself the target. Water and wastewater operators running RUGGEDCOM gear inside AWIA 2018 covered systems, and pipeline operators under TSA Security Directive Pipeline 2021-02 series requirements, carry the same segmentation and mitigation reporting exposure.

Compensating Controls

Do not treat the vendor firmware update to V4.0 as your only step, and do not reach for active scanning to confirm exposure. Aggressive probing of RUGGEDCOM management services can itself trigger the resource release and buffer defects described here and brick the switch you are trying to protect. Use passive traffic inspection and asset inventory instead.

BreachSpider tracks Siemens SINEC OS and RUGGEDCOM advisories against exposure across 25,000+ ICS CVEs and 175,000+ OT products so operators can prioritize mitigation before active exploitation. Contact BreachSpider for continuous monitoring of your RUGGEDCOM fleet.