CVE-2023-52927 Siemens CVE debrief

Who should care

Operators, engineers, and maintainers responsible for the listed Siemens SIMATIC S7-1500 CPU variants, especially environments that use the additional GNU/Linux subsystem or run custom applications on those devices.

Technical summary

The CVE description states that nf_conntrack_in() calling nf_ct_find_expectation() can remove an expectation entry from the hash table, while some scenarios require the expectation to remain until a created connection is confirmed. The patch changes the template status so the expectation is not removed in those scenarios. In the Siemens CSAF advisory, the issue is mapped to five SIMATIC S7-1500 CPU product identifiers and scored with CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local, hard-to-exploit condition with high availability impact and no confidentiality or integrity impact in the advisory’s scoring.

Defensive priority

Medium. The advisory indicates no fix is available, so exposure reduction and operational controls are the primary defenses for affected deployments.

Recommended defensive actions

• Restrict access to the additional GNU/Linux subsystem to trusted personnel only.
• Only build and run applications from trusted sources on affected devices.
• Review whether any affected Siemens CPU variants are deployed in your environment and inventory them by product identifier.
• Monitor Siemens and CISA advisory updates for any future remediation guidance or revised mitigation advice.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-162-05 and the linked Siemens ProductCERT advisory SSA-082556. The source advisory lists five affected SIMATIC S7-1500 CPU product names, states that no fix is currently available, and provides mitigation guidance focused on restricting subsystem access and trusting application sources. The published date used here is the advisory publication date: 2025-06-10, with later republication updates reflected in the source timeline.

Official resources