PatchSiren cyber security CVE debrief
CVE-2025-21724 Siemens CVE debrief
CVE-2025-21724 is a local memory-safety issue in the Linux iommufd/iova_bitmap code path that Siemens included in its SIMATIC S7-1500 CPU family advisory. The problem is a shift-out-of-bounds in iova_bitmap_offset_to_index(): the expression shifts the integer literal 1 by bitmap->mapped.pgshift, and when pgshift is greater than 31 on a typical 32-bit int, the shift becomes undefined behavior. CISA’s CSAF for Siemens lists five affected SIMATIC/SIPLUS CPU models and states that no fix is currently available. Siemens recommends restricting shell access to trusted personnel and only building/running applications from trusted sources.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
OT security teams, plant operators, and administrators responsible for the listed Siemens SIMATIC S7-1500 CPU 1518/1518F MFP variants, especially environments that expose or use the additional GNU/Linux subsystem or interactive shell.
Technical summary
The advisory describes a UBSAN-detected shift-out-of-bounds in iova_bitmap_offset_to_index(). The buggy operation shifts the constant 1, which defaults to a signed int, by bitmap->mapped.pgshift. If pgshift exceeds the bit width of that type (for example, 63), the result cannot be represented and the shift has undefined behavior. The CSAF lists the issue as affecting five Siemens products and classifies it with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local attack conditions and high availability impact.
Defensive priority
Medium. The issue is locally exploitable according to the published CVSS vector, affects specific OT CPU products, and currently has no vendor fix in the supplied advisory.
Recommended defensive actions
- Verify whether any of the five listed Siemens SIMATIC/SIPLUS CPU models are deployed in your environment.
- Restrict access to the additional GNU/Linux subsystem shell to trusted personnel only, as recommended in the advisory.
- Only build and run applications from trusted sources on affected systems.
- Monitor Siemens ProductCERT and CISA for an updated advisory or remediation release.
- Apply a fix or compensating control promptly when Siemens publishes one.
- Inventory OT assets that use the affected CPU family and document exposure to local shell or application execution paths.
Evidence notes
The supplied CISA CSAF advisory (ICSA-25-162-05) for Siemens SIMATIC S7-1500 CPU family lists CVE-2025-21724, the five affected product IDs/names, and the remediation note that no fix is currently available. Siemens’ referenced SSA-082556 advisory is the vendor source linked from the CSAF. The CVSS vector in the corpus is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. Timing context is based on the CVE/source publication date of 2025-06-10 and the latest supplied modification date of 2026-05-14.
Official resources
-
CVE-2025-21724 CVE record
CVE.org
-
CVE-2025-21724 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied CISA/Siemens advisory materials on 2025-06-10; the source record was later updated on 2026-05-14.