PatchSiren cyber security CVE debrief
CVE-2025-6395 Siemens CVE debrief
CVE-2025-6395 is a medium-severity NULL pointer dereference in GnuTLS's _gnutls_figure_common_ciphersuite() affecting Siemens SIMATIC S7-1500 CPU/SIPLUS models with an additional GNU/Linux subsystem. The source advisory lists no fix as available, so the practical defenses are to restrict shell access to trusted personnel and run only trusted software on the affected devices.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Owners and operators of the affected Siemens SIMATIC S7-1500 CPU 1518-4/1518F-4 PN/DP MFP and SIPLUS variants, especially OT teams responsible for the additional GNU/Linux subsystem, shell access, and software deployment on these devices.
Technical summary
The source advisory assigns CVSS 3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H and maps the issue to CWE-476 (NULL Pointer Dereference). CISA's CSAF record and Siemens' advisory identify the affected products as SIMATIC S7-1500 CPU 1518-4/1518F-4 PN/DP MFP variants plus the SIPLUS S7-1500 CPU 1518-4 PN/DP MFP. The source materials do not describe a fixed version; they instead recommend limiting access to the interactive shell of the additional GNU/Linux subsystem and using only trusted applications.
Defensive priority
Medium-High: prioritize quickly for affected OT environments because no fix is available in the source advisory and mitigation depends on access control and trusted-source execution.
Recommended defensive actions
- Restrict interactive shell access on the additional GNU/Linux subsystem to trusted personnel only.
- Allow only applications from trusted sources to be built and run on the affected devices.
- Inventory the listed Siemens SIMATIC S7-1500 and SIPLUS CPU models to confirm exposure and whether the GNU/Linux subsystem is in use.
- Monitor Siemens ProductCERT and CISA advisory updates for any future fix or revised guidance.
- Apply CISA ICS recommended practices and defense-in-depth controls appropriate for industrial control environments.
Evidence notes
CISA's ICSA-25-162-05 CSAF advisory and Siemens SSA-082556 both identify CVE-2025-6395 as a NULL pointer dereference in GnuTLS's _gnutls_figure_common_ciphersuite() and list five affected Siemens CPU product names. The advisory content provided here states that no fix is currently available and recommends only access restriction and trusted-source execution as mitigations. The supplied corpus does not describe a public exploit, observed exploitation, or ransomware use.
Official resources
-
CVE-2025-6395 CVE record
CVE.org
-
CVE-2025-6395 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-06-10 through CISA's ICS advisory ICSA-25-162-05. The advisory was updated multiple times afterward, with the latest supplied republication dated 2026-05-14. This debrief uses the CVE publication date as the issue