PatchSiren cyber security CVE debrief
CVE-2025-21766 Siemens CVE debrief
CVE-2025-21766 is a medium-severity availability issue affecting select Siemens SIMATIC S7-1500 CPU 1518 MFP variants. The advisory ties the risk to the device’s additional GNU/Linux subsystem, and Siemens/CISA note that no fix is currently available. The practical takeaway is to restrict subsystem access and limit use to trusted software sources while monitoring for vendor updates.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of the listed Siemens SIMATIC S7-1500 CPU 1518/1518F MFP devices, especially teams that use or administer the additional GNU/Linux subsystem shell on these controllers.
Technical summary
The CVE describes a Linux IPv4 bug in __ip_rt_update_pmtu() where RCU protection is required to ensure the net structure being read does not disappear during access. In the supplied advisory context, Siemens maps the issue to five SIMATIC S7-1500 CPU product variants that include an additional GNU/Linux subsystem. The provided CVSS vector indicates local access with low privileges and a high availability impact, consistent with a denial-of-service or stability concern rather than a confidentiality or integrity issue.
Defensive priority
High for exposed or routinely administered affected CPUs, because Siemens lists no available fix and the guidance relies on access restriction and software trust controls rather than patching.
Recommended defensive actions
- Identify whether any of the five listed Siemens CPU product variants are in use: 6ES7518-4AX00-1AB0, 6ES7518-4AX00-1AC0, 6ES7518-4FX00-1AB0, 6ES7518-4FX00-1AC0, or 6AG1518-4AX00-4AC0.
- Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Only build and run applications from trusted sources on the affected systems.
- Track Siemens ProductCERT advisory SSA-082556 and CISA ICSA-25-162-05 for any future remediation updates.
- Apply general ICS defense-in-depth and least-privilege controls around engineering workstations, maintenance accounts, and management interfaces.
- Review whether the GNU/Linux subsystem is needed at all on each deployment and disable or isolate it where operationally feasible.
Evidence notes
The CVE description states that __ip_rt_update_pmtu() must use RCU protection so the net structure it reads does not disappear. The CISA CSAF advisory identifies the affected Siemens product family and states that no fix is currently available, with mitigation guidance focused on limiting shell access and trusting software sources. Timing is based on the supplied publication date of 2025-06-10; later advisory revisions in 2026 are update events, not the original issue date.
Official resources
-
CVE-2025-21766 CVE record
CVE.org
-
CVE-2025-21766 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-06-10 in CISA ICS advisory ICSA-25-162-05 / Siemens ProductCERT SSA-082556. The advisory was later republished in updated form, with the latest supplied modification date of 2026-05-14.