PatchSiren cyber security CVE debrief
CVE-2025-21702 Siemens CVE debrief
CVE-2025-21702 is a high-severity Linux kernel queue-management issue described in Siemens and CISA advisories for the SIMATIC S7-1500 CPU family. The supplied advisory text says a pfifo_tail_enqueue() edge case can increase queue length even when sch->limit is 0 and the queue is empty, violating parent/child qlen accounting. Siemens/CISA state the issue can be used for user-to-kernel privilege escalation when reachable, and the supplied advisory lists no fix yet.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Operators of the listed Siemens SIMATIC S7-1500 CPU family products, ICS security teams, and defenders responsible for any embedded Linux subsystem or trusted-code controls on affected devices.
Technical summary
The advisory text describes a Linux kernel traffic-control/qdisc accounting flaw in pfifo_tail_enqueue(). When sch->limit == 0 and the scheduler queue is empty, the expected drop step can do nothing, but the function still enqueues a new packet and increments qlen. In the described parent/child qdisc setup, that can leave the child qlen at 1 while the parent remains at 0, breaking the expected invariant that parent queue length reflects the sum of its children. The advisory states this condition can be leveraged for user-to-kernel privilege escalation when reachable.
Defensive priority
High — the supplied advisory rates the issue 7.8/High and states there is currently no fix available.
Recommended defensive actions
- Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Only build and run applications from trusted sources on affected systems.
- Treat affected devices as high priority for containment and least-privilege review until a vendor fix is available.
- Monitor Siemens ProductCERT and CISA for updated guidance, remediation versions, or revised mitigations.
- Review whether the listed SIMATIC S7-1500 CPU family products are deployed in environments where untrusted code or local access is possible.
Evidence notes
The supplied CISA CSAF advisory ICSA-25-162-05 was published on 2025-06-10 and updated through 2026-05-14. It lists five affected Siemens SIMATIC S7-1500 CPU family products and includes the advisory text describing a pfifo_tail_enqueue() queue-length accounting flaw. The advisory states the issue can lead to user-to-kernel privilege escalation when reachable and also states that currently no fix is available. Mitigations in the supplied advisory focus on limiting access to the interactive shell of the additional GNU/Linux subsystem and only building/running trusted applications. The source description in the prompt is truncated, so this debrief stays within the text provided there and the official linked advisory pages.
Official resources
-
CVE-2025-21702 CVE record
CVE.org
-
CVE-2025-21702 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory ICSA-25-162-05 on 2025-06-10, with updates through 2026-05-14. The supplied corpus also references Siemens ProductCERT advisory SSA-082556 as the underlying vendor advisory.