CVE-2025-38470 Siemens CVE debrief

Who should care

Owners and operators of the listed Siemens SIMATIC S7-1500 CPU 1518-family and SIPLUS variants, especially environments that use the additional GNU/Linux subsystem or allow local administrators to change VLAN or ethtool settings. OT teams responsible for host hardening, access control, and maintenance windows should pay particular attention.

Technical summary

The advisory describes a Linux kernel net:vlan defect where VLAN 0 is automatically added or removed when a device is administratively brought up or down, but the behavior breaks if rx-vlan-filter is disabled or re-enabled while the device is running. In one path, VLAN 0 is not removed and memory is leaked. In the other, VLAN 0 can be deleted later even though it was not added under the same conditions, causing refcount imbalance that can trigger null-ptr-unref or BUG_ON in unregister_vlan_dev(). The source advisory states the fix is to track whether VLAN 0 was automatically added on NETDEV_UP and use that state on NETDEV_DOWN, independent of the current rx-vlan-filter setting.

Defensive priority

Medium. The issue is locally reachable and primarily impacts availability, but it affects industrial products and can produce a kernel failure path. Because the Siemens advisory lists no available fix at publication time, hardening and access control are the main near-term mitigations.

Recommended defensive actions

• Inventory whether any listed Siemens SIMATIC S7-1500 CPU models are deployed, including the SIPLUS variant, and confirm whether the additional GNU/Linux subsystem is in use.
• Restrict interactive shell access and other local administrative access to trusted personnel only, as stated in the advisory.
• Limit who can modify network interface settings such as rx-vlan-filter, VLAN membership, and related ethtool operations.
• Apply Siemens and CISA advisory guidance for the affected products and monitor for updated firmware or vendor fixes.
• Use network segmentation and OT hardening practices to reduce the chance that an untrusted user can reach the affected management functions.
• Document maintenance procedures so runtime toggling of VLAN filtering is avoided unless explicitly required and approved.

Evidence notes

This debrief is based on the supplied CISA CSAF source item for ICSA-25-162-05 and the referenced Siemens ProductCERT advisory SSA-082556. The source ties CVE-2025-38470 to Siemens SIMATIC S7-1500 CPU 1518-4/1518F-4 PN/DP MFP and SIPLUS variants, notes that no fix was available at the time of publication, and provides a Linux kernel root-cause description centered on VLAN 0 refcount imbalance when rx-vlan-filter is toggled during runtime. The timing context used here follows the CVE publication date of 2025-06-10 and the latest source modification date of 2026-05-14; later advisory republication dates are not treated as the CVE issue date.

Official resources