CVE-2025-38725 Cert Portal CVE debrief

Who should care

Administrators and operators responsible for the affected Siemens SIMATIC CN 4100 systems listed in the advisory, especially where Linux kernel USB network adapters or suspend/resume behavior are in use. Security teams that manage OT/industrial systems should also review the advisory scope and firmware version mapping.

Technical summary

The advisory describes a missing phy_mask on the ax88772 MDIO bus in the Linux kernel’s asix_devices path. The driver can instantiate up to 32 MDIO PHY devices across address range 0x00-0x1f, but only the primary PHY binds to the net PHY driver. When the system suspends or resumes, phy_polling_mode() in phy_state_machine() may dereference phydev->drv for non-main PHY devices, which can lead to a NULL pointer dereference. The supplied CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High for any system matching the advisory’s affected product/version scope. Confirm exposure, then apply the vendor update path to V5.0 or later as soon as practical.

Recommended defensive actions

• Update to V5.0 or later version, as stated in the remediation guidance.
• Verify whether the deployed Siemens SIMATIC CN 4100 system is within the advisory’s affected version range before scheduling maintenance.
• Review the CISA and Siemens advisory links for any additional vendor guidance or clarifications.
• Track suspend/resume behavior on affected devices during change windows so operational impact can be assessed before and after remediation.

Evidence notes

Source material published on 2026-05-12 and republished on 2026-05-14. The description attributes the bug to a Linux kernel USB network driver issue and the remediation to a vendor update. The supplied advisory metadata also marks the vendor/product mapping as low confidence and needs review, so the affected-product scope should be interpreted cautiously.

Official resources