CVE-2025-4598 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP devices in industrial environments, particularly those with multi-user access to the embedded GNU/Linux subsystem or applications utilizing SUID binaries.

Technical summary

The vulnerability exists in systemd-coredump's handling of SUID process crashes. When a SUID process crashes, systemd-coredump attempts to analyze /proc/pid/auxv to determine process privileges. An attacker can trigger a crash and race to recycle the PID with a non-SUID binary before systemd-coredump completes its analysis. If successful, the attacker gains access to the original SUID process's coredump file, which may contain sensitive data loaded into memory by the privileged process. The attack requires local access and is rated MEDIUM severity (CVSS 4.7) due to high attack complexity.

Defensive priority

medium

Recommended defensive actions

• Restrict interactive shell access to the GNU/Linux subsystem on affected devices to trusted personnel only
• Only build and run applications from trusted sources on affected systems
• Monitor for unexpected SUID process crashes and coredump generation on affected devices
• Apply security updates from Siemens when available for the SIMATIC S7-1500 CPU 1518-4 PN/DP MFP product family

Evidence notes

The vulnerability description indicates this is a race condition (CWE-364) in systemd-coredump where an attacker can force a SUID process crash and exploit Linux kernel PID recycling to access privileged coredump data. The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms local attack vector, high complexity, low privileges required, and high confidentiality impact with no integrity or availability impact.

Official resources