CVE-2025-38499 Siemens CVE debrief

Who should care

Operators and maintainers of the affected Siemens SIMATIC S7-1500 CPU family, OT/ICS security teams, and Linux administrators responsible for local access, shell access, and mount-namespace behavior on these devices.

Technical summary

The issue is a missing privilege check in Linux kernel clone_private_mnt(): it checked for MNT_LOCKED-related conditions but did not always verify that the caller had CAP_SYS_ADMIN in the user namespace associated with the namespace mount. The supplied advisory text says the missing check matters because cloning should not expose something hidden by a mount that the caller would not be able to undo. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access, low privileges, and high availability impact only.

Defensive priority

Medium, with elevated operational attention in OT environments because the affected Siemens advisory currently lists no fix and the issue can affect availability.

Recommended defensive actions

• Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
• Only build and run applications from trusted sources.
• Review local privilege boundaries and minimize who can perform mount-related actions on affected devices.
• Monitor Siemens and CISA advisory updates for SSA-082556 / ICSA-25-162-05, since the supplied advisory says no fix is currently available.

Evidence notes

Evidence comes from the supplied CISA CSAF advisory for ICSA-25-162-05 and its Siemens references. The record lists five affected Siemens SIMATIC S7-1500 CPU family product variants and states that no fix is available. The CVE description specifically identifies the Linux kernel clone_private_mnt() CAP_SYS_ADMIN-in-the-right-userns gap, and the supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Official resources