CVE-2025-21760 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC S7-1500 TM MFP industrial control systems with the GNU/Linux subsystem enabled should prioritize this vulnerability. System administrators, OT security teams, and industrial asset owners in manufacturing, process control, and critical infrastructure sectors need to assess their exposure and implement compensating controls until a vendor patch becomes available.

Technical summary

This vulnerability exists in the Linux kernel's IPv6 Neighbor Discovery protocol implementation. The ndisc_send_skb() function lacks proper RCU protection, creating a race condition that can result in use-after-free memory corruption. The vulnerability is classified under CWE-416 (Use After Free). In the context of Siemens SIMATIC S7-1500 TM MFP, the GNU/Linux subsystem is affected, potentially allowing an attacker with local access to escalate privileges or cause denial of service. The attack requires local access but no user interaction, with successful exploitation yielding complete compromise of the affected system's confidentiality, integrity, and availability.

Defensive priority

HIGH

Recommended defensive actions

• Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only
• Only build and run applications from trusted sources
• Monitor for vendor security advisories from Siemens for future patch availability
• Apply network segmentation to limit exposure of affected industrial control systems
• Review and implement CISA ICS recommended practices for defense in depth

Evidence notes

The vulnerability description indicates this is a kernel-level RCU protection issue in the IPv6 neighbor discovery implementation. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) confirms local attack vector with low complexity and high impact potential. The source advisory (ICSA-24-102-01) from CISA's CSAF repository provides official vendor acknowledgment through Siemens.

Official resources