CVE-2025-38167 Siemens CVE debrief

Who should care

Siemens SIMATIC S7-1500 CPU operators and integrators, especially those using the affected 1518/1518F and SIPLUS variants and any deployment that exposes the additional GNU/Linux subsystem shell or application environment.

Technical summary

The underlying issue is in fs/ntfs3: hdr_first_de() returns a pointer to struct NTFS_DE that may be NULL, and the vulnerable path needs explicit NULL handling. The CISA/Siemens advisory context ties this Linux kernel issue to the SIMATIC S7-1500 CPU family products listed in the advisory. The published CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) points to local access requirements and a high availability impact, with no confidentiality or integrity impact recorded.

Defensive priority

Medium priority. Treat as a targeted availability risk for affected Siemens systems; prioritize where local shell access exists or where downtime would materially affect operations, especially because the advisory lists no fix yet.

Recommended defensive actions

• Limit access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
• Only build and run applications from trusted sources.
• Monitor Siemens ProductCERT advisory SSA-082556 and CISA advisory ICSA-25-162-05 for any future remediation updates.
• Review local user access and privilege boundaries for the affected subsystem to reduce exposure to low-privilege local abuse.

Evidence notes

The source advisory (ICSA-25-162-05 / Siemens SSA-082556) lists five affected Siemens SIMATIC S7-1500 CPU product variants and explicitly states that currently no fix is available. The CVE description identifies the Linux kernel ntfs3 issue: hdr_first_de() can return NULL and needs error handling, which is consistent with CWE-476 (NULL pointer dereference) and the advisory's CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The advisory also notes the finding came from the Linux Verification Center (linuxtesting.org) with SVACE.

Official resources