PatchSiren cyber security CVE debrief
CVE-2025-26465 Siemens CVE debrief
CVE-2025-26465 affects multiple Siemens SIMATIC S7-1500 CPU family products and is tied to OpenSSH behavior when VerifyHostKeyDNS is enabled. According to the advisory, a successful machine-in-the-middle attack requires the attacker to first exhaust the client’s memory resources, which raises the attack complexity, and Siemens notes that no fix is currently available.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of the affected Siemens SIMATIC S7-1500 CPU family products, especially teams managing the additional GNU/Linux subsystem, OpenSSH usage, or any configuration that enables VerifyHostKeyDNS. OT security teams should also care because the affected products are industrial controllers in operational environments.
Technical summary
The source advisory describes a weakness in OpenSSH’s host-key verification path when VerifyHostKeyDNS is enabled. Under specific error-handling conditions, a malicious system impersonating a legitimate server may be able to mount a machine-in-the-middle attack, but the advisory states the attacker must first exhaust the client’s memory resource. The reported CVSS vector is AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, indicating network reachability, user interaction, and no direct availability impact.
Defensive priority
Medium priority. The issue is externally reachable and can affect confidentiality and integrity, but exploitation is gated by user interaction, a high-complexity condition, and memory-exhaustion prerequisites. Because the advisory says no fix is available, defensive attention should focus on reducing exposure and tightening access now.
Recommended defensive actions
- Review whether VerifyHostKeyDNS is enabled on affected systems and disable it where it is not required by operational policy.
- Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only, as recommended by the advisory.
- Only build and run applications from trusted sources on the affected products.
- Monitor Siemens ProductCERT and CISA advisories for a future fix or updated mitigation guidance, since the current advisory states no fix is available.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory ICSA-25-162-05, the referenced Siemens ProductCERT advisory SSA-082556, and the CVE description provided in the source corpus. Product scope, mitigations, and the 'no fix available' status come from the advisory metadata; timing uses the supplied CVE published date of 2025-06-10 and latest modified date of 2026-05-14.
Official resources
-
CVE-2025-26465 CVE record
CVE.org
-
CVE-2025-26465 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-06-10. The source advisory shows subsequent republication updates, with the latest modified date in the supplied timeline at 2026-05-14.