CVE-2025-38198 Siemens CVE debrief

Who should care

Operators of the listed Siemens SIMATIC S7-1500 CPU 1518/1518F and SIPLUS variants, especially teams that administer the additional GNU/Linux subsystem, interactive shell access, or sysfs-facing maintenance workflows in OT environments.

Technical summary

The vulnerability path described in the source corpus is local and memory-safety related: a write to the store_modes sysfs node can invoke fb_new_modelist()/fbcon_new_modelist(), which calls fbcon_info_from_console(). If con2fb_map[console] is -1 for an unregistered console, the function indexes fbcon_registered_fb[-1], triggering UBSAN array-index-out-of-bounds. The documented remediation is to return NULL so callers can fail safely when the console is not registered.

Defensive priority

High

Recommended defensive actions

• Restrict interactive shell access to the additional GNU/Linux subsystem to trusted personnel only.
• Apply CISA and Siemens defense-in-depth guidance for the affected OT environment.
• Only build and run applications from trusted sources on the affected systems.
• Review whether any administrative workflow exposes the store_modes/sysfs path and limit access to only necessary operators.
• Monitor the Siemens ProductCERT and CISA advisory pages for a vendor fix or updated mitigation guidance.

Evidence notes

Primary facts come from the supplied CISA CSAF source item for ICSA-25-162-05 and the Siemens SSA-082556 references. The advisory publication date is 2025-06-10; the latest supplied advisory update is 2026-05-14. The source corpus includes a 'none_available' remediation entry stating that no fix is currently available. KEV is not listed in the supplied data. The vulnerability text itself describes the kernel code path, the -1 index condition, and the NULL-return fix.

Official resources