PatchSiren cyber security CVE debrief
CVE-2025-32988 Siemens CVE debrief
CVE-2025-32988 is a double-free in GnuTLS SAN export logic that Siemens tracked in its SIMATIC S7-1500 CPU family advisory. When an Subject Alternative Name entry contains an otherName with an invalid or malformed type-id OID, GnuTLS may call asn1_delete_structure() on an ASN.1 node it does not own, creating a double-free condition. The advisory says the issue can be triggered through public GnuTLS APIs and may lead to denial of service or memory corruption, depending on allocator behavior. In the supplied advisory snapshot, Siemens lists no fix available for the affected SIMATIC S7-1500 CPU variants.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of the listed Siemens SIMATIC S7-1500 CPU 1518-4/1518F-4 PN/DP MFP and SIPLUS variants, OT security teams, and administrators responsible for the embedded GNU/Linux subsystem or application deployment on these controllers.
Technical summary
The flaw is an ownership bug in GnuTLS’s export path for Subject Alternative Name entries containing otherName. If the type-id OID is invalid or malformed, GnuTLS can free an ASN.1 structure it does not own; later cleanup can free the same object again, resulting in a double-free. CISA’s CSAF entry for ICSA-25-162-05 associates the issue with Siemens SIMATIC S7-1500 CPU models. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H (6.5 MEDIUM).
Defensive priority
Medium-High — the CVSS score is medium, but the advisory snapshot says no fix is available and the affected products are industrial controllers, so compensating controls deserve prompt attention.
Recommended defensive actions
- Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Only build and run applications from trusted sources.
- Review Siemens ProductCERT and CISA advisory updates for a future fix and validate compensating controls now.
- Prioritize exposure review for the listed Siemens SIMATIC S7-1500 CPU models because the supplied advisory snapshot says no fix is currently available.
Evidence notes
CISA’s CSAF advisory ICSA-25-162-05 (published 2025-06-10 and updated through 2026-05-14) identifies CVE-2025-32988 and points to Siemens ProductCERT advisory SSA-082556. The advisory text states that the issue is a GnuTLS double-free involving malformed or invalid otherName type-id OIDs, that it can be triggered with public GnuTLS APIs, and that it may result in denial of service or memory corruption. The remediation section in the supplied source states that no fix is currently available and provides compensating guidance for the affected Siemens products.
Official resources
-
CVE-2025-32988 CVE record
CVE.org
-
CVE-2025-32988 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by Siemens/CISA on 2025-06-10 in ICSA-25-162-05 / SSA-082556, with CISA republication updates through 2026-05-14.