CVE-2025-38063 Siemens CVE debrief

Who should care

Operators, maintainers, and OT security teams responsible for the affected Siemens SIMATIC S7-1500 CPU models, especially environments that rely on the GNU/Linux subsystem or storage paths that issue flush-heavy I/O.

Technical summary

The underlying kernel problem is in dm flush handling: when a bio with REQ_PREFLUSH is submitted, __send_empty_flush() creates a flush_bio marked REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC. That combination causes the flush_bio to be throttled by wbt_wait(), which can impose an unintended availability and performance penalty. The advisory’s CVSS vector reflects a local, low-complexity issue with high availability impact and no confidentiality or integrity impact.

Defensive priority

Medium; elevate operational priority if the affected device relies on the GNU/Linux subsystem or performance-sensitive storage workloads.

Recommended defensive actions

• Confirm whether any affected Siemens SIMATIC S7-1500 CPU models are in use and whether the GNU/Linux subsystem is enabled.
• Treat this as an availability and performance issue; validate whether I/O throttling could affect control or maintenance workloads.
• Apply Siemens and CISA updates when a vendor fix or revised mitigation becomes available.
• Until a fix exists, restrict shell access to trusted personnel only.
• Only build and run applications from trusted sources on the affected subsystem.

Evidence notes

CISA’s CSAF advisory for ICSA-25-162-05 published on 2025-06-10 and last updated on 2026-05-14 links CVE-2025-38063 to Siemens SIMATIC S7-1500 CPU family products. The source description states that the Linux kernel dm path can generate a flush_bio that is throttled by wbt_wait() when REQ_PREFLUSH is submitted, and the remediation section states that no fix was available at the time reflected in the source.

Official resources