PatchSiren cyber security CVE debrief
CVE-2025-21735 Siemens CVE debrief
CVE-2025-21735 is a HIGH severity vulnerability (CVSS 7.8) affecting the NFC (Near Field Communication) subsystem in the Linux kernel, specifically within the nci_hci_create_pipe() function. The vulnerability stems from missing bounds checking that could lead to out-of-bounds access. Siemens has identified this as affecting the GNU/Linux subsystem of their SIMATIC S7-1500 TM MFP industrial control product. The vulnerability was published on April 9, 2024, and has been actively tracked through multiple advisory updates through September 2025. As of the latest advisory revision (September 9, 2025), no patch is available from Siemens for this product. The vulnerability requires local access with low privileges, but successful exploitation can result in complete compromise of confidentiality, integrity, and availability. Given the industrial control context, organizations should implement strict access controls to the GNU/Linux subsystem interactive shell and ensure only trusted applications are executed.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators, OT security teams, Siemens SIMATIC S7-1500 TM MFP administrators, critical infrastructure defenders, and organizations running embedded Linux subsystems in industrial environments should prioritize assessment and mitigation of this vulnerability.
Technical summary
The vulnerability exists in the NFC Controller Interface (NCI) implementation within the Linux kernel's HCI (Host Controller Interface) layer. The nci_hci_create_pipe() function lacks proper bounds validation, potentially allowing out-of-bounds memory access. This affects the GNU/Linux subsystem of Siemens SIMATIC S7-1500 TM MFP, an industrial programmable logic controller with embedded Linux capabilities. The local attack vector requires authenticated access but can lead to complete system compromise. No vendor patch is currently available; mitigation relies on access restriction and trusted application execution policies.
Defensive priority
HIGH
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Implement application whitelisting to ensure only trusted applications are built and executed
- Monitor for anomalous NFC-related activity on affected systems
- Apply defense-in-depth strategies per CISA ICS recommended practices
- Subscribe to Siemens security advisories for patch availability notifications
- Segment affected industrial control systems from untrusted networks
- Review and implement CISA ICS-CERT defense in depth guidance for industrial control systems
Evidence notes
The vulnerability description indicates this is a bounds checking issue in the NFC NCI (NFC Controller Interface) HCI (Host Controller Interface) pipe creation function. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) confirms local attack vector with low attack complexity and low privileges required, but with high impact across all three security dimensions. The advisory explicitly states 'Currently no fix is available' as of the latest revision.
Official resources
-
CVE-2025-21735 CVE record
CVE.org
-
CVE-2025-21735 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
This vulnerability was disclosed through coordinated disclosure via CISA and Siemens. The advisory has undergone 10 revision cycles since initial publication, with the most recent update on September 9, 2025, adding 51 additional CVEs to I|