CVE-2025-21638 Siemens CVE debrief

Who should care

Organizations running Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled, industrial control system operators, Linux kernel maintainers for embedded/ICS environments, and security teams responsible for OT/ICS infrastructure.

Technical summary

The vulnerability exists in the Linux kernel's SCTP protocol implementation, specifically in the sysctl handler for `auth_enable`. The code incorrectly uses `current->nsproxy` to access network namespace information, which can be NULL when the current task is exiting. This results in a null-pointer dereference (Oops). The proper fix uses `container_of()` on `table->data` to obtain the `net` structure directly. The vulnerability is local (AV:L), requires low privileges (PR:L), and can cause high availability impact (A:H) through denial of service (kernel crash).

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from Siemens when available for the SIMATIC S7-1500 TM MFP GNU/Linux subsystem
• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Only build and run applications from trusted sources on affected systems
• Monitor for kernel Oops messages in system logs that may indicate exploitation attempts
• Review network namespace isolation configurations to minimize attack surface

Evidence notes

The vulnerability description indicates this was resolved in the Linux kernel with a commit that avoids using `current->nsproxy` in the SCTP sysctl `auth_enable` handler. The issue was detected by syzbot using `acct(2)`. Siemens has included this CVE in their security advisory SSA-265688 for the SIMATIC S7-1500 TM MFP product, with the CISA ICS advisory ICSA-24-102-01 tracking this and related vulnerabilities. The advisory was initially published on 2024-04-09 and has been updated multiple times through September 2025 to include additional CVEs.

Official resources