ICSA-24-193-11 · Published 2026-01-14 · View on CISA ICS-CERT ↗

Siemens RUGGEDCOM APE 1808

CVSS 9.1 CRITICAL

CVEs (9)

CVE-2023-48795 CVE-2024-3596 CVE-2024-5913 CVE-2024-5920 CVE-2024-9468 CVE-2024-9471 CVE-2025-0114 CVE-2025-4231 CVE-2025-4619

Conﬁgure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it
Customers can resolve this issue by configuring the in-use SSH profile to contain at least one cipher and at least one MAC algorithm, which removes support for CHACHA20-POLY1305 and all Encrypt-then-MAC algorithms available (ciphers with -etm in the name) in PAN-OS software. See Palo Alto Networks' upstream documentation https://security.paloaltonetworks.com/CVE-2023-48795 for additional guidance.
Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
Upgrade Palo Alto Networks Virtual NGFW V11.1.4-h1. Contact customer support to receive patch and update information
Exposure can be reduced by limiting access to the management interface to trusted internal IP addresses as described in Palo Alto Networks' Security Advisory

Siemens

Siemens · RUGGEDCOM APE1808 vers:all/*

Critical Manufacturing

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.