CVE-2025-21859 Siemens CVE debrief

Who should care

Industrial control system operators, OT security teams, and organizations using Siemens SIMATIC S7-1500 TM MFP systems in manufacturing, process control, or critical infrastructure environments should prioritize access controls and monitoring for this vulnerability given the lack of available patches.

Technical summary

The vulnerability exists in the Linux kernel's USB gadget MIDI function driver (f_midi). The f_midi_complete function does not properly invoke queue_work, which can result in work items not being scheduled correctly. This local vulnerability requires low privileges to exploit and can cause high availability impact (denial of service) on affected systems. The vulnerability affects the GNU/Linux subsystem of Siemens SIMATIC S7-1500 TM MFP programmable logic controllers used in industrial automation environments.

Defensive priority

medium

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem to trusted personnel only
• Only build and run applications from trusted sources
• Monitor for vendor security updates from Siemens
• Apply defense-in-depth strategies for industrial control systems per CISA guidance
• Segment affected systems from untrusted networks where possible

Evidence notes

Vulnerability description sourced from CISA CSAF advisory ICSA-24-102-01. Affected product confirmed as Siemens SIMATIC S7-1500 TM MFP GNU/Linux subsystem. CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with low attack complexity, requiring low privileges, resulting in high availability impact. Advisory revision history shows ongoing updates through September 2025.

Official resources