PatchSiren cyber security CVE debrief
CVE-2025-21753 Siemens CVE debrief
A use-after-free vulnerability in the Btrfs filesystem implementation of the Linux kernel affects the GNU/Linux subsystem of Siemens SIMATIC S7-1500 TM MFP industrial control devices. The flaw occurs when attempting to join an aborted transaction, potentially allowing a local attacker to execute arbitrary code with elevated privileges. The vulnerability carries a HIGH severity CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating significant impact to confidentiality, integrity, and availability when exploited locally. No patch is currently available from the vendor.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Operators of Siemens SIMATIC S7-1500 TM MFP systems utilizing the GNU/Linux subsystem; industrial control system security teams; OT/ICS asset owners; organizations with Btrfs deployments on embedded Linux systems in critical infrastructure.
Technical summary
The vulnerability exists in the Btrfs (B-tree filesystem) implementation within the Linux kernel. Specifically, when code attempts to join a transaction that has already been aborted, a use-after-free condition can occur. This memory safety defect could enable a local attacker with low privileges to corrupt memory and potentially escalate to arbitrary code execution with higher privileges. The attack vector is local, requires low attack complexity, and no user interaction. The GNU/Linux subsystem on Siemens SIMATIC S7-1500 TM MFP devices incorporates affected kernel components, exposing industrial control environments to this vulnerability.
Defensive priority
HIGH
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
- Build and run only applications from trusted sources
- Monitor for vendor security updates from Siemens CERT
- Apply defense-in-depth strategies for industrial control systems per CISA guidance
- Segment affected devices from untrusted networks where possible
Evidence notes
CVE published 2024-04-09; advisory ICSA-24-102-01 initially released same date. Modified 2026-05-14 per CISA CSAF source. CVE-2025-21753 added to advisory in Additional Release 8 (2025-08-12) per revision history.
Official resources
-
CVE-2025-21753 CVE record
CVE.org
-
CVE-2025-21753 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09