PatchSiren cyber security CVE debrief
CVE-2025-38457 Siemens CVE debrief
CVE-2025-38457 is a Linux kernel queuing discipline (qdisc) bug that can lead to a local denial of service when a qdisc is created or modified with a parent that is not a valid class. The vulnerability is described in Siemens' CSAF advisory ICSA-25-162-05 and is listed for several SIMATIC S7-1500 CPU 1518-4/1518F-4 PN/DP MFP products. The supplied advisory states that the issue can reach a null class during qdisc handling, and that no fix is currently available in the advisory record.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Operators, integrators, and maintainers of the listed Siemens SIMATIC S7-1500 CPU 1518-4/1518F-4 PN/DP MFP products should review exposure, especially if local shell or administrative access is available to untrusted users. OT security teams should also care if the affected devices or their embedded Linux stack rely on qdisc functionality that can be reached locally.
Technical summary
The advisory describes a flaw in the Linux kernel net/sched qdisc path. When a user specifies a parent qdisc, grafting later rejects non-class attachment, but that check happens after qdisc_create and the init callback have already run. In qdiscs that unconditionally call qdisc_tree_reduce_backlog() during init or change, the code can proceed with an assumed child qdisc while the parent class lookup failed, leading to a null class being passed to qlen_notify. The stated fix is to make qdisc_leaf() fail earlier so __tc_modify_qdisc aborts before qdisc_create when the parent class does not exist.
Defensive priority
Medium. The issue is local and affects availability rather than confidentiality or integrity, but it can still crash or disrupt affected systems. The advisory also indicates no fix is currently available, so inventory and access control should be prioritized.
Recommended defensive actions
- Identify whether any of the listed Siemens SIMATIC S7-1500 CPU MFP products are deployed in your environment and confirm whether the affected software stack is present.
- Restrict interactive shell and other local administrative access to trusted personnel only.
- Limit local execution and administrative tooling to trusted sources and approved workflows.
- Monitor the Siemens ProductCERT advisory and the CISA CSAF record for update status and remediation guidance.
- Plan maintenance and validation steps for affected devices once a vendor fix or updated firmware becomes available.
Evidence notes
This debrief is based on the supplied CISA CSAF source item ICSA-25-162-05, Siemens advisory references SSA-082556 in JSON and HTML form, and the linked CVE record. The source record lists publication on 2025-06-10 and latest modification on 2026-05-14. The supplied CVSS v3.1 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (5.5, Medium). The corpus also indicates no KEV listing and no known ransomware campaign use.
Official resources
-
CVE-2025-38457 CVE record
CVE.org
-
CVE-2025-38457 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published in the supplied source record on 2025-06-10T00:00:00.000Z; last modified on 2026-05-14T06:00:00.000Z. The source corpus does not list this CVE in CISA KEV and does not indicate known ransomware campaign use.