PatchSiren cyber security CVE debrief
CVE-2025-21745 Siemens CVE debrief
CVE-2025-21745 is a Linux kernel issue that Siemens and CISA map to the SIMATIC S7-1500 CPU family. The flaw is a refcount leakage in blk-cgroup code: blkcg_fill_root_iostats() iterates through block_class devices but does not end the iteration with class_dev_iter_exit(), which can leak the class subsystem reference count. The advisory characterizes the issue as an availability problem with local attack conditions and high availability impact. Siemens’ published guidance says no fix is currently available, so defenders should rely on compensating controls and watch for advisory updates.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
OT/ICS asset owners, plant operators, and maintenance teams responsible for the affected Siemens SIMATIC S7-1500 CPU variants, especially where the additional GNU/Linux subsystem or its interactive shell is enabled or reachable.
Technical summary
According to the source advisory, the Linux kernel blk-cgroup path in blkcg_fill_root_iostats() uses class_dev_iter_(init|next)() to walk @block_class devices but fails to call class_dev_iter_exit(). That omission leaks the block_class subsystem reference count. The CVSS v3.1 vector provided by the advisory is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local, low-complexity availability impact. Siemens maps the issue to five SIMATIC S7-1500 CPU product variants in the CSAF advisory.
Defensive priority
Medium. Prioritize mitigation if the affected Siemens CPU’s additional GNU/Linux subsystem is exposed, because the advisory reports no fix available and the impact is availability-only but potentially operationally significant.
Recommended defensive actions
- Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Only build and run applications from trusted sources.
- Inventory the affected Siemens SIMATIC S7-1500 CPU variants and confirm whether the additional GNU/Linux subsystem is enabled or exposed.
- Apply least-privilege and segmentation controls around engineering and maintenance access to the device.
- Monitor Siemens ProductCERT and CISA advisory updates for any new fix or revised guidance.
Evidence notes
This debrief is based only on the supplied CISA CSAF source item and the referenced Siemens/CISA advisory links. The vulnerability description, affected product list, and the 'no fix available' remediation wording come from the advisory corpus. The CVSS vector provided in the source is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which supports a local availability-impact assessment. Published and modified dates are taken from the CVE/advisory timeline provided (publication 2025-06-10; latest update 2026-05-14).
Official resources
-
CVE-2025-21745 CVE record
CVE.org
-
CVE-2025-21745 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA/Siemens advisory on 2025-06-10 and updated through 2026-05-14. The supplied corpus does not list the issue in CISA KEV, and no exploit publication is provided in the source material.