CVE-2025-21704 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with the GNU/Linux subsystem enabled. This includes manufacturing facilities, critical infrastructure operators, and industrial automation environments where these programmable logic controllers are deployed. System administrators and OT security teams responsible for securing industrial control system assets should prioritize access controls given the absence of an available patch.

Technical summary

The vulnerability exists in the USB Communications Device Class Abstract Control Model (CDC-ACM) driver within the Linux kernel. The driver fails to properly validate the size of control transfer buffers before accessing them. This improper input validation (CWE-20) could be exploited by a local attacker with high privileges to trigger denial of service conditions. The attack requires local access with high privileges, has low attack complexity, and results in high availability impact with no confidentiality or integrity impact per the CVSS 3.1 vector.

Defensive priority

medium

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Implement application whitelisting to ensure only trusted applications are built and executed
• Monitor for anomalous USB device connections to affected systems
• Apply defense-in-depth strategies per CISA ICS recommended practices
• Subscribe to Siemens ProductCERT security advisories for patch availability updates

Evidence notes

CISA ICS advisory ICSA-24-102-01 documents this vulnerability in Siemens SIMATIC S7-1500 TM MFP systems. The advisory was initially published on April 9, 2024, and has undergone multiple revisions through September 2025 to incorporate additional CVEs. Siemens has confirmed no patch is currently available.

Official resources