CVE-2025-21703 Siemens CVE debrief

Who should care

Siemens customers using the affected SIMATIC S7-1500 TM MFP - BIOS, along with OT/ICS defenders responsible for tracking vendor advisories and compensating controls, should prioritize this issue.

Technical summary

The core issue described in the source is an ordering bug in traffic-control backlog handling: qdisc_tree_reduce_backlog() only notifies a parent qdisc when the child becomes empty, so the child backlog needs to be reduced first. If that order is wrong, qlen_notify() may not run; the advisory states that in DRR this disrupted maintenance of the active list and resulted in a use-after-free.

Defensive priority

High

Recommended defensive actions

• Review Siemens advisory SSA-503939 and CISA ICSA-25-072-03 for the full affected-scope and status details.
• Treat the affected product as a high-priority maintenance item and plan for vendor guidance updates, since the advisory states no fix was available at publication.
• Apply the advisory’s stated workaround only from trusted sources, and validate any compensating controls during approved OT change windows.
• Monitor for revised advisory information after 2025-09-09 and re-check the product’s exposure in your asset inventory.

Evidence notes

The source corpus ties CVE-2025-21703 to Siemens SIMATIC S7-1500 TM MFP - BIOS and gives a netem/qdisc description involving qdisc_tree_reduce_backlog(), qlen_notify(), DRR, and a resulting UAF. The advisory metadata states publication on 2025-03-11, revision on 2025-09-09, CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, no fix available, and a workaround limited to building/running applications from trusted sources. The corpus also contains a product/advisory context that appears broader than the technical description; this debrief follows the supplied sources without inferring beyond them.

Official resources