Siemens tells industrial customers to patch RUGGEDCOM switches now, cites dozens of flaws in SINEC OS
The German engineering giant has shipped version 4.0 of its ruggedised network operating system to close a long list of bugs, including one rated 9.8 out of 10.

Key points
- Siemens released SINEC OS version 4.0 for its RUGGEDCOM RST2428P industrial switch (part number 6GK6242-6PA00) to fix a large batch of vulnerabilities.
- The most serious flaw carries a CVSS score of 9.8 out of 10, the second-highest severity rating a bug can receive.
- Affected sectors include energy, transport, manufacturing, healthcare, financial services and government facilities worldwide.
- Individual bugs include CVE-2025-1352, CVE-2025-1376, CVE-2025-6052, CVE-2025-6141, CVE-2025-6170, CVE-2025-7039 and CVE-2025-8732.
- Siemens is directing operators to update to V4.0 or later; no active exploitation has been reported.
Siemens has told industrial customers to update a widely deployed piece of network kit after disclosing a long list of security flaws in its operating system.
The device in question is the RUGGEDCOM RST2428P, an industrial ethernet switch. Think of it as the traffic controller for the cables running between machines inside a power substation, a rail signalling cabinet, or a factory floor. It runs software called SINEC OS.
Every version of SINEC OS before 4.0 is affected. Siemens, headquartered in Germany, is one of the largest suppliers of industrial control equipment in the world, and this hardware ships into critical manufacturing, energy, transport, healthcare, finance and government sites globally.
The advisory was published through CISA, the US Cybersecurity and Infrastructure Security Agency, which routinely republishes industrial control system alerts from vendors.
What is actually broken?
More than two dozen distinct weaknesses, most of them in open-source software libraries that Siemens bundles into its product. The headline number is a CVSS score of 9.8 out of 10. CVSS is the industry's standard 0-to-10 severity scale, and 9.8 means the flaw can be triggered from across the network without a password.
The named bugs read like a tour of common software mistakes.
CVE-2025-1352 is a memory corruption bug in GNU elfutils, a set of tools for reading program files. It can be triggered remotely, though Siemens notes it is hard to exploit reliably.
CVE-2025-6052 affects GLib, a widely used building-block library. When a program tries to add data to a very large text string, the size calculation silently wraps around, and data ends up written past the end of memory. That typically means a crash, sometimes worse.
CVE-2025-6141 is a stack buffer overflow in GNU ncurses, the library that handles text-based terminal displays. CVE-2025-6170 is a similar overflow in the interactive shell of xmllint, a tool for checking XML files. Both need local access.
CVE-2025-7039 is a path traversal bug in glib. Path traversal means an attacker tricks a program into reading or writing files outside the folder it's supposed to touch. CVE-2025-1376 and CVE-2025-8732 round out the list, covering denial-of-service conditions in elfutils and libxml2.
The broader Siemens list also cites cross-site scripting, authentication bypass, race conditions, prototype pollution and active debug code left in the product. That last one, active debug code, is exactly what it sounds like: developer test hooks that should not ship in a production device.
Should operators be worried?
Yes, but the fix is straightforward: install SINEC OS version 4.0 or later, available from Siemens Industry Online Support.
The practical concern is that industrial switches are not phones. They do not update themselves. They sit in locked cabinets in remote sites, often behind change-control processes that take weeks. Between now and the moment those cabinets are opened, the flaws are still there.
Siemens says there are no reports of the bugs being used in real attacks. The company's guidance for industrial customers has long been the same: put this equipment on isolated networks, restrict who can reach it, and treat any device speaking to the wider internet as a serious risk.
For ordinary members of the public, there's nothing to do. The equipment sits inside utilities and factories, not homes. But the sectors listed, power, water, hospitals, transit, are the ones people feel when something goes wrong.



