Siemens (Third-Party Components in SINEC OS before V3.3) Product Security Update Advisory

Jan 29 2026

Overview

Siemens(https://www.siemens.com) has released a security update that fixes vulnerabilities in products it has supplied. users of affected products are advised to update to the latest version.

Affected Products

RUGGEDCOM RST2428P (6GK6242-6PA00) V3.3 and earlier versions

SCALANCE XCH328 (6GK5328-4TS01-2EC2) V3.3 or earlier

SCALANCE XCM324 (6GK5324-8TS01-2AC2) V3.3 or earlier

SCALANCE XCM328 (6GK5328-4TS01-2AC2) V3.3 or earlier

SCALANCE XCM332 (6GK5332-0GA01-2AC2) V3.3 or earlier

SCALANCE XRH334 (24 V DC, 8xFO, CC) (6GK5334-2TS01-2ER3) for V3.3 and earlier

SCALANCE XRM334 (230 V AC, 12xFO) (6GK5334-3TS01-3AR3) V3.3 and earlier

SCALANCE XRM334 (230 V AC, 8xFO) (6GK5334-2TS01-3AR3) V3.3 and earlier

SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-3AR3) V3.3 and earlier

SCALANCE XRM334 (24 V DC, 12xFO) (6GK5334-3TS01-2AR3) V3.3 and earlier

SCALANCE XRM334 (24 V DC, 8xFO) (6GK5334-2TS01-2AR3) V3.3 and earlier

SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-2AR3) V3.3 and earlier

SCALANCE XRM334 (2×230 V AC, 12xFO) (6GK5334-3TS01-4AR3) V3.3 and earlier

SCALANCE XRM334 (2×230 V AC, 8xFO) (6GK5334-2TS01-4AR3) V3.3 and earlier

SCALANCE XRM334 (2×230 V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-4AR3) V3.3 and earlier

Resolved Vulnerabilities

Missing Authentication for Critical Function Vulnerability (CVE-2025-32433, CVSS 10.0) in Third-Party Components in SINEC OS before V3.3 due to insufficient call limits for critical functions (CVE-2025-32433, CVSS 10.0) [1]

Improper Input Value Validation Vulnerability in Third-Party Components in SINEC OS before V3.3 Due to Insufficient Input Value Validation (CVE-2025-38084 and 2 others, CVSS 7.0) [1]

Improper Input Value Validation Vulnerability in SINEC OS before V3.3 due to Insufficient Input Value Validation (CVE-2025-38350 and 1 other, CVSS 7.1) [1]

Multiple Releases of Same Resource or Handle Vulnerability in Third-Party Components in SINEC OS before V3.3 due to multiple releases of the same resource or handle (CVE-2025-0665, CVSS 7.3) [1] [1

Buffer overflow attack vulnerability in Third-Party Components in SINEC OS before V3.3 due to integer overflow to buffer overflow (CVE-2025-0725, CVSS 7.3) [1]

Improper input validation vulnerability due to insufficient input validation in Third-Party Components in SINEC OS before V3.3 (CVE-2025-38498, CVSS 7.3) [1]

Free of Memory not on the Heap Vulnerability due to free of memory not on the heap in Third-Party Components in SINEC OS before V3.3 (CVE-2024-6197, CVSS 7.5) [1] [1

Improper Certificate Validation Vulnerability in Third-Party Components in SINEC OS before V3.3 due to insufficient certificate validation (CVE-2024-41996 and 1 other, CVSS 7.5) [1]

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Vulnerability in Third-Party Components in SINEC OS before V3.3 due to Insufficient Validation of Pathname Information (CVE-2025-4138 and 1 other, CVSS 7.5) [1]

Incorrect Calculation Vulnerability in Third-Party Components in SINEC OS before V3.3 (CVE-2025-4435, CVSS 7.5) [1] [1

Out-of-Bounds Read Vulnerability due to an out-of-bounds read in Third-Party Components in SINEC OS before V3.3 (CVE-2025-9086, CVSS 7.5) [1]

Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2025-59375, CVSS 7.5) [1] Due to Insufficient Validation of Resource Boundary Values in Third-Party Components in SINEC OS before V3.3

Out-of-Bounds Write Vulnerability Due to Out-of-Bounds Writes in Third-Party Components in SINEC OS before V3.3 (CVE-2022-48174, CVSS 7.8) [1] [1

Use-After-Free Vulnerability in Third-Party Components in SINEC OS before V3.3 due to Memory Reuse After Free (UAF) (CVE-2023-42365, CVSS 7.8) [1

Improper Input Value Validation Vulnerability in Third-Party Components in SINEC OS before V3.3 Due to Insufficient Input Value Validation (CVE-2025-39841 and 1 other, CVSS 7.8) [1]

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Vulnerability in Third-Party Components in SINEC OS before V3.3 Due to Insufficient Validation of Pathname Information (CVE-2025-4517, CVSS 9.4) [1]

Out-of-Bounds Write Vulnerability Due to Out-of-Bounds Writes in Third-Party Components in SINEC OS before V3.3 (CVE-2024-52533, CVSS 9.8) [1] [1

Vulnerability Patches

The following Vulnerability Patches or mitigations were made available in the January 28, 2026 update. For more information on Vulnerability Patches, please see the reference documentation.

Ruggedcom rst2428p (6gk6242-6pa00)

Update to V3.3 and later versions

https://support.industry.siemens.com/cs/ww/en/view/109997626/

Balance xch328 (6gk5328-4ts01-2ec2)

Update to V3.3 and later

https://support.industry.siemens.com/cs/ww/en/view/109997626/

Balance xcm324 (6gk5324-8ts01-2ac2)

Update to V3.3 and later

https://support.industry.siemens.com/cs/ww/en/view/109997626/

Balance xcm328 (6gk5328-4ts01-2ac2)

Update to V3.3 and later

https://support.industry.siemens.com/cs/ww/en/view/109997626/