PatchSiren cyber security CVE debrief
CVE-2025-21865 Siemens CVE debrief
CVE-2025-21865 is a local-attack, availability-impact vulnerability tied by Siemens and CISA to select SIMATIC S7-1500 CPU models that include a GNU/Linux subsystem. The underlying issue described in the CVE record is a kernel teardown bug in gtp_net_exit_batch_rtnl() where device deletion can be triggered twice during exit_batch_rtnl(), creating a list-corruption condition. Siemens’ advisory and the CISA CSAF record rate the issue as high-availability impact, and the published remediation states that no fix is currently available.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
OT operators, plant engineers, and asset owners running the affected SIMATIC S7-1500 CPU variants should pay attention, especially if the device’s GNU/Linux subsystem is enabled or accessible. Security teams responsible for local account control, application provenance, and maintenance windows should also review this advisory.
Technical summary
The public CVE description identifies a bug in the gtp network tunnel exit path: a loop added in gtp_net_exit_batch_rtnl() can cause ->dellink() to be called twice for the same device during ->exit_batch_rtnl(). Siemens’ CSAF advisory maps this to affected SIMATIC S7-1500 CPU products and describes a mitigation posture focused on restricting interactive shell access to trusted personnel and only running trusted applications. The advisory’s CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required and the primary impact is denial of service/availability loss.
Defensive priority
Medium. Prioritize if the affected CPU family is deployed in operationally critical environments, if local shell access is broader than necessary, or if third-party applications are executed on the GNU/Linux subsystem. Because the advisory states that no fix is currently available, compensating controls matter more than patching in the short term.
Recommended defensive actions
- Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Only build and run applications from trusted sources.
- Inventory affected SIMATIC S7-1500 CPU models and confirm whether the GNU/Linux subsystem is enabled in your deployment.
- Track Siemens ProductCERT SSA-082556 and CISA ICSA-25-162-05 for any future remediation updates.
- Apply least-privilege controls for local users and maintenance accounts that can interact with the subsystem.
Evidence notes
CISA’s CSAF record for ICSA-25-162-05 was published on 2025-06-10 and last updated on 2026-05-14. The advisory lists five affected Siemens CPU product identifiers and explicitly states that no fix is currently available. The remediation entries provided are limited to trusted-shell access and trusted application sources. The CVE text describes a duplicate device deletion path in gtp_net_exit_batch_rtnl(), and the official CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Official resources
-
CVE-2025-21865 CVE record
CVE.org
-
CVE-2025-21865 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-06-10 in CISA’s CSAF advisory ICSA-25-162-05, with the latest provided CISA republication update dated 2026-05-14. This debrief uses the advisory publication timeline as the disclosure context and does not treat a