Executive Summary

CVE-2025-9086 covers a cluster of memory handling defects in Siemens SINEC OS running on the RUGGEDCOM RST2428P before V4.0, including improper restriction of operations within a memory buffer, integer overflow or wraparound, and improper resource shutdown or release. Because the RST2428P is a hardened field and substation-grade switch that carries protection, control, and telemetry traffic, a successful trigger against these defects can degrade or halt the switching layer that connects protective relays, RTUs, and merging units.

Technical Exposure Breakdown

The vulnerable component is the SINEC OS firmware image on the RUGGEDCOM RST2428P, part number 6GK6242-6PA00, in all versions prior to V4.0. The vendor-scored CVSS reflects a 9.8 for the aggregate equipment condition, while the tracked base score here sits at 7.5, which places this in the high band regardless of which figure you weight. The distinction matters operationally: the 7.5 vector maps cleanly to a denial-of-service outcome driven by the improper resource release and integer wraparound conditions, while the higher vendor figure accounts for the memory buffer defect that carries potential for arbitrary code execution under the right conditions.

The three defect classes chain in predictable ways. An integer overflow in a length or count field lets an attacker miscalculate a buffer boundary. The improper restriction of operations within the bounds of that buffer is then the write primitive. The improper resource shutdown or release means the device does not cleanly recover state after a malformed request, so the fault does not self-heal. In a switch that is expected to forward IEC 61850 GOOSE and sampled values with deterministic timing, a hang or reset is not a nuisance. It is a loss of the communication path between protection functions.

The attack surface depends on how the switch management plane is exposed. If the affected parsing sits in a management protocol reachable from the process or supervisory VLAN, the reachable population is larger than most operators assume. Field switches frequently share management access with engineering workstations that themselves have broad reach.

OT Impact and Compliance Risk

The physical failure mode is loss of switching. When an RST2428P stops forwarding or reboots into a fault loop, everything downstream of that switch loses its communication path. In a substation automation build, that can mean protection coordination messages do not arrive, breaker status is stale, or a distributed protection scheme falls back to a slower backup. In a water or wastewater plant, it can mean SCADA loses visibility of pumps and valves on a segment.

For NERC CIP registered entities, a switch that carries BES Cyber System communication is in scope for CIP-007 patch management and CIP-010 configuration change tracking, and an unrecoverable device event has CIP-008 reporting implications. Under IEC 62443, this is a zone conduit integrity and availability failure that undercuts SL-2 assumptions for network components. Pipeline operators under TSA SD-02C should treat the RST2428P as a critical cyber asset where patch timelines and network segmentation objectives apply. Water utilities operating under AWIA 2018 risk and resilience obligations should log this against their control system dependency assessment.

Compensating Controls

Do not run active scans against RST2428P units in production to confirm exposure. The same malformed input classes that trigger the resource release defect can brick a field switch, and active scanning of industrial gear is a known outage cause. Confirm inventory passively through configuration records and span-port capture.

BreachSpider Intel: BreachSpider tracks CVE-2025-9086 and the broader RUGGEDCOM SINEC OS exposure across its ICS vulnerability dataset for continuous monitoring of affected OT fleets.