CVE-2025-21764 Siemens CVE debrief

Who should care

Industrial control system operators, OT security teams, Siemens SIMATIC S7-1500 TM MFP administrators, critical infrastructure security personnel, and organizations running affected PLC systems in manufacturing, energy, water treatment, or other industrial sectors should prioritize this vulnerability due to the lack of available patches and high potential impact.

Technical summary

The vulnerability exists in the Linux kernel's ndisc_alloc_skb() function within the IPv6 Neighbor Discovery subsystem. The function lacks proper RCU protection, creating a race condition that can lead to use-after-free memory corruption. This is classified as CWE-416 (Use After Free). The attack requires local access with low privileges but enables complete system compromise. The affected product is the GNU/Linux subsystem embedded in Siemens SIMATIC S7-1500 TM MFP programmable logic controllers used in industrial automation environments.

Defensive priority

HIGH

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Implement application whitelisting to ensure only trusted applications execute on affected systems
• Monitor for anomalous local process activity on SIMATIC S7-1500 TM MFP systems
• Apply vendor patches immediately upon release from Siemens
• Segment affected industrial control systems from untrusted networks
• Review and implement CISA ICS recommended practices for defense in depth

Evidence notes

The vulnerability description 'ndisc: use RCU protection in ndisc_alloc_skb()' indicates a kernel-level memory safety issue in IPv6 neighbor discovery. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) confirms local attack vector with high impact. Siemens' CSAF data explicitly lists this CVE against the SIMATIC S7-1500 TM MFP GNU/Linux subsystem with no fix available.

Official resources