PatchSiren cyber security CVE debrief
CVE-2025-21756 Siemens CVE debrief
CVE-2025-21756 is a medium-severity local availability issue associated in Siemens' CSAF advisory with specific SIMATIC S7-1500 CPU MFP and SIPLUS CPU variants. The CVE description points to a vsock binding-preservation flaw, while Siemens' remediation notes say no fix is currently available, so defenders should rely on access restriction and trusted-source controls for the affected GNU/Linux subsystem.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
OT and ICS teams responsible for the listed Siemens SIMATIC S7-1500 CPU 1518/1518F MFP variants, especially environments that expose the additional GNU/Linux subsystem or allow local application execution on the device.
Technical summary
The supplied CVE description says vsock bindings should be preserved until socket destruction, including sockets that were explicitly bound or implicitly autobound during connect(). In the Siemens advisory context, the affected products are five SIMATIC S7-1500 CPU variants. The supplied CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a local attacker with low privileges could trigger a high availability impact, with no confidentiality or integrity impact indicated. Siemens' advisory lists no available fix and recommends limiting interactive shell access of the additional GNU/Linux subsystem to trusted personnel and only building or running applications from trusted sources.
Defensive priority
Elevated for affected OT assets because Siemens lists no fix and the issue can cause high availability impact on devices in the advisory scope.
Recommended defensive actions
- Confirm whether any of the five Siemens product variants listed in the advisory are deployed in your environment.
- Restrict interactive shell access to the additional GNU/Linux subsystem to trusted personnel only.
- Allow only applications from trusted sources to be built and run on affected systems.
- Review Siemens advisory SSA-082556 and CISA advisory ICSA-25-162-05 for updates or future remediation guidance.
- Apply local-access and privilege-minimization controls consistent with CISA ICS recommended practices while no vendor fix is available.
- Validate backup, recovery, and operational fallback plans for availability-sensitive OT deployments.
Evidence notes
This debrief is based only on the supplied CISA CSAF source item and its referenced Siemens advisory. The source maps CVE-2025-21756 to five affected Siemens products: SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0), 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0), 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0), 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0), and SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0). The remediation section explicitly states that currently no fix is available and recommends restricting shell access and using trusted sources. No KEV entry is included in the supplied enrichment.
Official resources
-
CVE-2025-21756 CVE record
CVE.org
-
CVE-2025-21756 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published 2025-06-10; latest CISA republication update in the supplied timeline is 2026-05-14. The supplied enrichment does not list CVE-2025-21756 in CISA KEV.