CVE-2025-21762 Siemens CVE debrief

Who should care

Siemens SIMATIC S7-1500 TM MFP operators, OT/ICS engineers, system administrators, and security teams responsible for Linux-based industrial platforms that include the affected Siemens product.

Technical summary

The advisory states that arp_xmit() can be invoked without RTNL or RCU protection. The resolution is to add RCU protection to avoid a potential use-after-free. Based on the supplied CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), the practical risk is local exploitation leading to availability impact.

Defensive priority

Medium

Recommended defensive actions

• Track Siemens advisory SSA-503939 and the CISA ICS advisory for updates, since the supplied source says no fix was available at publication time.
• Apply Siemens guidance to only build and run applications from trusted sources.
• Follow CISA ICS recommended practices and defense-in-depth guidance for industrial control systems.
• Review whether the affected Siemens SIMATIC S7-1500 TM MFP - BIOS product is deployed in your environment and document compensating controls until a vendor fix is available.
• Limit local access and privileged use on affected systems to reduce exposure to the local/low-privilege attack conditions indicated by the CVSS vector.

Evidence notes

The source corpus links CVE-2025-21762 to CISA advisory ICSA-25-072-03 and Siemens advisory SSA-503939. The advisory description explicitly says the Linux kernel vulnerability is resolved by using RCU protection in arp_xmit() to avoid a potential UAF. The remediations section states that no fix was available at publication time and provides a trusted-sources-only workaround. The supplied CVSS vector indicates local, low-privilege, no-interaction conditions with availability impact only.

Official resources