CVE-2025-38231 Siemens CVE debrief

Who should care

Operators and maintainers of the listed Siemens SIMATIC S7-1500 CPU 1518/1518F MFP variants, OT/ICS defenders, and teams responsible for the embedded GNU/Linux subsystem or local shell access on these devices should prioritize this advisory.

Technical summary

According to the source description, nfs4_state_start_net() may start laundromat_work before nfsd_ssc is initialized. laundromat_work can later reach nfsd4_ssc_expire_umount via nfs4_laundromat, producing a NULL pointer dereference if nfsd_ssc is not ready. The condition is more likely when the kernel blocks on userspace completion paths, delaying initialization long enough for the delayed work to run first. The source characterizes the issue as local, with availability impact, and the linked CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Defensive priority

Medium to High for affected assets: the scored severity is Medium (CVSS 5.5), but the impact is a kernel availability fault on industrial devices and the source says no fix is available yet.

Recommended defensive actions

• Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only, as recommended in the advisory.
• Only build and run applications from trusted sources on the affected devices.
• Treat the listed SIMATIC S7-1500 CPU MFP variants as affected until Siemens publishes a fix or updated guidance.
• Reduce opportunities for local triggering by minimizing unnecessary local users, services, and administrative access on the device.
• Monitor the Siemens ProductCERT and CISA advisory pages for remediation updates and revision changes.
• Plan maintenance windows and operational contingencies for potential availability loss, since the issue can lead to a kernel NULL dereference.
• Apply Siemens-approved compensating controls and validation before introducing any new software or configuration changes.
• Use CISA ICS recommended practices and defense-in-depth guidance to limit the blast radius of a device crash.

Evidence notes

The supplied Siemens/CISA CSAF advisory (ICSA-25-162-05 / SSA-082556) lists affected products as SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0, 6ES7518-4AX00-1AC0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0, 6ES7518-4FX00-1AC0), and SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0). The source description states the flaw is a Linux kernel nfsd NULL dereference caused by laundromat_work reaching nfsd_ssc before initialization completes, especially under delayed userspace response paths. The advisory remediation section says 'Currently no fix is available' and suggests restricting shell access and using trusted software only. The CVSS vector provided in the source is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and the CVE is not marked as KEV in the supplied data. Published date used here is 2025-06-10; later advisory revisions are update context, not the original CVE date.

Official resources