CVE-2025-21846 Siemens CVE debrief

Who should care

Industrial control system operators, OT security teams, and asset owners using Siemens SIMATIC S7-1500 TM MFP devices with the GNU/Linux subsystem enabled should prioritize this vulnerability. Organizations in manufacturing, process control, and critical infrastructure sectors relying on these programmable logic controllers for automation should assess exposure and implement compensating controls until a patch becomes available.

Technical summary

The vulnerability exists in the Linux kernel's process accounting (acct) implementation within the GNU/Linux subsystem of Siemens SIMATIC S7-1500 TM MFP devices. The flaw relates to performing the last write operation from a workqueue context, which can lead to availability impacts. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a local attack vector with low attack complexity, requiring low privileges but no user interaction, resulting in high availability impact with no confidentiality or integrity impact.

Defensive priority

medium

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Implement application whitelisting - only build and run applications from trusted sources
• Monitor for anomalous process accounting activity on affected devices
• Apply defense-in-depth strategies per ICS-CERT recommended practices
• Subscribe to Siemens ProductCERT security advisories for patch availability updates

Evidence notes

Evidence derived from CISA ICS advisory ICSA-24-102-01 and Siemens security advisory SSA-265688. CVSS vector confirms local attack vector with low attack complexity.

Official resources