CVE-2025-21796 Siemens CVE debrief

Who should care

OT operators, PLC/industrial automation administrators, and Siemens SIMATIC S7-1500 owners—especially sites that use the GNU/Linux subsystem, interactive shell access, or third-party applications.

Technical summary

The CVE description says nfsd should clear acl_access and acl_default after releasing them, and that if retrieving acl_default fails, both ACL objects may be released together. The supplied advisory assigns CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a locally reachable issue with low privileges and a primary availability impact. The Siemens/CISA source set lists five affected CPU variants and states that no fix is currently available.

Defensive priority

Medium. Prioritize if any listed Siemens SIMATIC/SIPLUS S7-1500 CPU variants are deployed and if the GNU/Linux subsystem or interactive shell is in use, because the advisory reports no fix available.

Recommended defensive actions

• Restrict access to the interactive shell of the GNU/Linux subsystem to trusted personnel only.
• Only build and run applications from trusted sources.
• Track Siemens ProductCERT and CISA advisory updates for a future fix or additional guidance.
• Limit unnecessary local access paths on affected devices and apply least-privilege controls wherever possible.
• Review OT segmentation and monitoring so affected controllers are less exposed to untrusted local use.

Evidence notes

CISA's CSAF republication of Siemens ProductCERT SSA-082556 is the supplied source item for this CVE. It lists five affected Siemens SIMATIC/SIPLUS S7-1500 CPU variants, gives CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (5.5), and includes remediation text that says to limit interactive shell access to trusted personnel and only build/run applications from trusted sources. The advisory also states that currently no fix is available.

Official resources