PatchSiren cyber security CVE debrief
CVE-2025-21728 Siemens CVE debrief
CVE-2025-21728 is a medium-severity availability issue affecting Siemens SIMATIC S7-1500 CPU MFP variants that include an additional GNU/Linux subsystem. The source advisory maps the issue to Linux BPF signal handling: if a non-preemptible BPF program uses bpf_send_signal(), the call can sleep and trigger problems in that execution context. Siemens/CISA list no fix at publication time, so defenders should focus on restricting local access, limiting who can use the subsystem shell, and ensuring only trusted software is built and run there.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
OT/ICS operators, Siemens SIMATIC S7-1500 owners, plant engineers, and security teams responsible for devices running the additional GNU/Linux subsystem, especially where local users or custom applications are permitted.
Technical summary
The advisory describes a Linux BPF kfunc issue: bpf_send_signal() may sleep, which is incompatible with non-preemptible execution contexts. On the affected Siemens SIMATIC S7-1500 CPU 1518-family MFP products, the practical impact is availability-focused and locally reachable according to the supplied CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). The source corpus does not identify a confidentiality or integrity impact, and it states that no fix is currently available for the listed products.
Defensive priority
Medium. Prioritize if the affected CPU runs third-party or custom applications in the GNU/Linux subsystem, or if multiple local users have access to the shell or application deployment path.
Recommended defensive actions
- Inventory the listed affected Siemens products and confirm whether the additional GNU/Linux subsystem is enabled and in use.
- Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Only build and run applications from trusted sources on the affected devices.
- Apply Siemens and CISA advisory updates as they are released, since the source corpus states that no fix is currently available.
- Reduce local privilege exposure and review who can execute or deploy BPF-related workloads in the subsystem.
- Monitor the Siemens ProductCERT and CISA advisory pages for any new remediation guidance or firmware/software updates.
Evidence notes
The supplied CISA CSAF source item for ICSA-25-162-05 and Siemens SSA-082556 identify five affected SIMATIC S7-1500 CPU MFP product variants and state 'Currently no fix is available.' The advisory remediation guidance specifically recommends limiting interactive shell access and only running trusted-source applications. The CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, supporting a local, availability-focused impact assessment.
Official resources
-
CVE-2025-21728 CVE record
CVE.org
-
CVE-2025-21728 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2025-21728 was published on 2025-06-10 in CISA's ICSA-25-162-05 advisory and Siemens SSA-082556 materials. The source corpus shows a latest CISA republication update on 2026-05-14, which should be treated as an advisory update date, not