CVE-2025-21864 Siemens CVE debrief

Who should care

OT defenders, platform owners, and maintenance teams responsible for the listed Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP and 1518F-4 PN/DP MFP variants, especially environments that use the GNU/Linux subsystem or rely on Linux network-stack functionality exposed by the device.

Technical summary

The advisory describes a Linux TCP receive-path cleanup problem: the skb’s destination entry is dropped when it is no longer needed, but the secpath was not dropped at the same time. Because secpath retains a reference to xfrm_state, deferred freeing of the skb can keep that reference alive until after network namespace teardown. If the defer list is not flushed before the netns is deleted, xfrm_state objects remain referenced unexpectedly and xfrm6_tunnel_net_exit can warn. The source notes that tcp_filter has already called LSM hooks that may need secpath, but also that MPTCP-related extensions may still be present, so not every skb extension can be removed wholesale. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (5.5, Medium).

Defensive priority

Medium. The issue is local and availability-focused, but it affects an OT product family and the source advisory says no fix is available yet, so affected operators should track vendor guidance closely and apply available hardening measures.

Recommended defensive actions

• Identify whether any of the listed Siemens SIMATIC S7-1500 CPU models are deployed in your environment and confirm whether they use the affected GNU/Linux subsystem or related network features.
• Review and follow Siemens ProductCERT advisory SSA-082556 and the CISA advisory for updates, since the supplied source states that no fix is currently available.
• Restrict interactive shell access to trusted personnel only, as recommended in the source remediation guidance.
• Only build and run applications from trusted sources on affected devices, per the source remediation guidance.
• Monitor for future vendor updates or revised mitigation guidance and plan maintenance windows so they can be applied promptly when available.

Evidence notes

The affected products, no-fix status, remediations, CVSS vector, and publication/modification dates come from the supplied CISA CSAF source and its referenced Siemens advisory materials. The technical mechanism is taken from the provided CVE description: a secpath/xfrm_state reference can survive deferred skb freeing and remain present during netns teardown. PublishedAt is 2025-06-10T00:00:00.000Z and ModifiedAt is 2026-05-14T06:00:00.000Z; those are the dates used for timing context. The provided data also marks the issue as not in KEV.

Official resources