PatchSiren cyber security CVE debrief
CVE-2025-38124 Siemens CVE debrief
CVE-2025-38124 is a Linux kernel networking issue tied to UDP GSO segmentation after pulling from a frag_list. In the Siemens/CISA advisory context, it affects SIMATIC S7-1500 CPU family products that include an additional GNU/Linux subsystem. The source advisory lists mitigations only and states that no fix is currently available. Because the CVSS vector emphasizes local access and high availability impact, defenders should treat this as an operational stability concern for exposed or locally reachable Linux subsystem use on the affected controllers.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Owners and operators of Siemens SIMATIC S7-1500 CPU family products, especially environments using the additional GNU/Linux subsystem; control engineers, OT security teams, and asset managers responsible for these devices; and integrators who deploy applications or shells on the embedded Linux environment.
Technical summary
The underlying issue is described as a Linux kernel net/UDP GSO segmentation bug involving skb_segment after pull from frag_list. The advisory narrative says a prior commit detected invalid geometry in frag_list skbs and redirected them from skb_segment_list to skb_segment, but some packets with modified geometry can still trigger bugs in that path. The published CVSS v3.1 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local, low-complexity condition with significant availability impact and no stated confidentiality or integrity impact. Siemens’ advisory scope lists five SIMATIC S7-1500 CPU variants as affected and reports no available fix at the time of the source update.
Defensive priority
Medium. The issue is not marked as KEV, but it affects industrial control hardware and the source advisory offers mitigation rather than a patch, so exposure should be reviewed promptly.
Recommended defensive actions
- Identify whether any affected SIMATIC S7-1500 CPU 1518/1518F MFP variants are in use, including SIPLUS variants listed in the advisory.
- Determine whether the additional GNU/Linux subsystem is enabled and whether trusted personnel only have shell access.
- Restrict shell access to the embedded GNU/Linux subsystem to trusted personnel only, as recommended by the advisory.
- Only build and run applications from trusted sources on the affected devices.
- Monitor Siemens ProductCERT and CISA advisory updates for a future fix or revised mitigation guidance.
- Prioritize operational resilience planning for any controller functions that depend on the embedded Linux subsystem.
Evidence notes
Source grounding comes from the CISA CSAF advisory ICSA-25-162-05 / Siemens ProductCERT SSA-082556 references included in the corpus. The advisory lists affected Siemens SIMATIC S7-1500 CPU family products and states 'Currently no fix is available.' The CVE description supplied in the corpus attributes the bug to Linux kernel UDP GSO skb_segment handling after pull from frag_list. No additional exploit details or remediation claims are used beyond the supplied corpus and official links.
Official resources
-
CVE-2025-38124 CVE record
CVE.org
-
CVE-2025-38124 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by CISA on 2025-06-10 and last updated in the supplied source record on 2026-05-14. The advisory revisions in the corpus show later republication updates, but the CVE issue date remains 2025-06-10.