PatchSiren cyber security CVE debrief
CVE-2025-31115 Siemens CVE debrief
CVE-2025-31115 is a high-severity flaw in XZ Utils’ liblzma multithreaded .xz decoder. The supplied Siemens advisory maps the issue to specific SIMATIC S7-1500 CPU variants and states that invalid input can trigger a crash, heap use-after-free, or a write based on a null pointer plus offset. Siemens’ advisory says no fix is currently available for the listed products, so operators should rely on compensating controls and watch for later vendor guidance.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of the listed Siemens SIMATIC S7-1500 CPU variants, plus OT/ICS security teams that manage Linux-based embedded software paths or applications using liblzma’s lzma_stream_decoder_mt function.
Technical summary
The underlying issue is in the multithreaded .xz decoder in liblzma, where malformed input can lead to memory-safety failures. The CVE description names crash impact, heap use-after-free, and a write to an address derived from a null pointer plus offset. Siemens’ CSAF advisory identifies five SIMATIC/SIPLUS CPU product variants as affected and notes that, for those products, no fix is currently available in the advisory; upstream XZ Utils fixed the bug in 5.8.1 and committed the fix to multiple branches.
Defensive priority
High. The published CVSS score is 7.5 (HIGH), the impact includes denial of service and memory corruption, and the affected Siemens products have no listed fix in the advisory.
Recommended defensive actions
- Inventory any use of XZ Utils/liblzma in the affected Siemens products and confirm whether the multithreaded decoder path is reachable in your deployment.
- Apply Siemens’ current compensating controls from the advisory: limit interactive shell access to trusted personnel and only build/run applications from trusted sources.
- Treat untrusted or malformed .xz content as a crash-risk input path and minimize exposure where operationally possible.
- Monitor Siemens ProductCERT/CISA advisory updates for a vendor fix or additional guidance.
- Review OT hardening and defense-in-depth guidance referenced by CISA to reduce the impact of memory-safety faults in embedded systems.
Evidence notes
CISA’s CSAF source for ICSA-25-162-05 was published on 2025-06-10 and last modified on 2026-05-14. The source data and Siemens references identify the advisory as SSA-082556, list five affected Siemens SIMATIC/SIPLUS CPU products, and state that no fix is currently available for those products. The CVE description also notes that upstream XZ Utils fixed the issue in 5.8.1 and backported the fix to multiple branches. Supplied enrichment does not list a CISA KEV entry.
Official resources
-
CVE-2025-31115 CVE record
CVE.org
-
CVE-2025-31115 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA/Siemens advisory ICSA-25-162-05 / SSA-082556 on 2025-06-10, with later republication updates through 2026-05-14. Supplied enrichment does not list it in CISA KEV.