PatchSiren cyber security CVE debrief
CVE-2025-21701 Siemens CVE debrief
CVE-2025-21701 is a Siemens advisory for several SIMATIC S7-1500 CPU 1518/1518F MFP variants. The issue is described as a race in network device teardown and ethnl operations that can result in use of destroyed locks, creating an availability risk rather than a confidentiality or integrity issue. The published guidance states that no fix was available at the time of disclosure and relies on compensating controls.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
OT and ICS operators using the affected Siemens SIMATIC S7-1500 CPU models, especially teams responsible for the device’s GNU/Linux subsystem, application loading, and remote administration. Security and asset-management teams should also care because the advisory applies to five specific product variants and the impact is service disruption.
Technical summary
The advisory says unregister_netdevice_many_notify may run before the rtnl lock section of ethnl operations, which can lead to a use-after-destroyed-lock condition. Siemens/CISA map the issue to a local, high-complexity, low-privilege availability problem (CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) and reference CWE-362 (race condition). The source notes that the fix is to deny operations on devices that are in the process of being unregistered.
Defensive priority
Medium. The CVSS score is 4.7 and the source indicates availability-only impact, but affected devices are industrial control components where even localized service disruption can matter operationally.
Recommended defensive actions
- Inventory the affected Siemens product variants listed in the advisory and confirm whether any are deployed.
- Review the Siemens and CISA advisories for the current status of vendor guidance and any later updates.
- Apply the source-listed compensating control to limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Only build and run applications from trusted sources on affected devices, as recommended in the advisory.
- Plan for mitigation-based risk reduction because the source states that no fix was available at publication.
Evidence notes
The supplied source corpus is CISA CSAF ICSA-25-162-05 and the Siemens ProductCERT advisory SSA-082556, both naming CVE-2025-21701 and five affected SIMATIC S7-1500 CPU product variants. The advisory description matches the issue summary in the prompt: a race between unregister_netdevice_many_notify and ethnl rtnl-lock handling that can expose destroyed locks. The CVSS vector provided by the source is AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, which supports a localized denial-of-service interpretation. The remediation section explicitly includes 'Currently no fix is available.'
Official resources
-
CVE-2025-21701 CVE record
CVE.org
-
CVE-2025-21701 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-06-10 in CISA CSAF advisory ICSA-25-162-05, with the source record later updated; the latest listed modification in the supplied timeline is 2026-05-14.