PatchSiren cyber security CVE debrief
CVE-2025-21761 Siemens CVE debrief
This CVE addresses a missing RCU (Read-Copy-Update) protection vulnerability in the Open vSwitch kernel module's `ovs_vport_cmd_fill_info()` function. The flaw could allow a local attacker to trigger a use-after-free condition, potentially leading to privilege escalation, information disclosure, or system instability. The vulnerability affects Siemens SIMATIC S7-1500 TM MFP industrial control systems that utilize the GNU/Linux subsystem with Open vSwitch components. The CVSS 3.1 score of 7.8 (HIGH) reflects significant impact potential with local attack vector and low complexity. No patch is currently available from the vendor, requiring defensive mitigations focused on access control and supply chain integrity.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Industrial control system operators, OT security teams, Siemens SIMATIC S7-1500 TM MFP administrators, critical infrastructure security personnel, and organizations running Open vSwitch in embedded Linux environments
Technical summary
The vulnerability exists in the Open vSwitch kernel module where `ovs_vport_cmd_fill_info()` lacks proper RCU synchronization when accessing vport data structures. Without RCU protection, a race condition can occur between netlink command processing and vport deletion, resulting in use-after-free memory corruption. The affected code path is triggered through netlink socket operations requiring local access. On Siemens SIMATIC S7-1500 TM MFP systems, this exposes the GNU/Linux subsystem to local attackers who have gained shell access. The vulnerability is classified under CWE-416 (Use After Free).
Defensive priority
HIGH
Recommended defensive actions
- Restrict interactive shell access to the GNU/Linux subsystem to authorized personnel only per vendor mitigation guidance
- Implement application whitelisting and verify all applications are built from trusted sources before execution
- Monitor for anomalous local process activity and privilege escalation attempts on affected systems
- Apply defense-in-depth controls including network segmentation for industrial control system environments
- Subscribe to Siemens ProductCERT and CISA ICS advisories for patch availability notifications
Evidence notes
CVE published 2024-04-09 per CISA CSAF advisory ICSA-24-102-01. Advisory last modified 2026-05-14 with multiple revision updates adding additional CVEs to the same product security notice. Siemens SSA-265688 cross-referenced as primary vendor advisory.
Official resources
-
CVE-2025-21761 CVE record
CVE.org
-
CVE-2025-21761 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09