Siemens SIMATIC S7-1500 Improper Input Validation (CVE-2025-21724)

🗓️ 13 Nov 2025 00:00:00Reported by TenableType

Siemens SIMATIC S7-1500 improper input validation vulnerability (CVE-2025-21724) affecting Tenable.ot.

Reporter	Title	Published	Views	Family All 172
Tenable Nessus	Amazon Linux 2023 : bpftool, kernel, kernel-devel (ALAS2023-2025-876)	14 Mar 202500:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0075: cloud-kernel bugfix, enhancement and (ALINUX3-SA-2025:0075)	27 May 202500:00	–	nessus
Tenable Nessus	Debian dla-4102 : linux-config-6.1 - security update	1 Apr 202500:00	–	nessus
Tenable Nessus	NewStart CGSL MAIN 7.02 : kernel Multiple Vulnerabilities (NS-SA-2025-0118)	25 Jul 202500:00	–	nessus
Tenable Nessus	Oracle Linux 10 / 9 : Unbreakable Enterprise kernel (ELSA-2025-20480)	18 Jul 202500:00	–	nessus
Tenable Nessus	Oracle Linux 10 / 9 : Unbreakable Enterprise kernel (ELSA-2025-20530)	19 Aug 202500:00	–	nessus
Tenable Nessus	Oracle Linux 8 / 9 : Unbreakable Enterprise kernel (ELSA-2026-50261)	12 May 202600:00	–	nessus
Tenable Nessus	Photon OS 5.0: Linux PHSA-2025-5.0-0486	15 Mar 202500:00	–	nessus
Tenable Nessus	RHEL 9 : kernel (RHSA-2026:0917)	22 Jan 202600:00	–	nessus
Tenable Nessus	RHEL 9 : kernel (RHSA-2026:1441)	28 Jan 202600:00	–	nessus

Source	Link
cert-portal	www.cert-portal.siemens.com/productcert/html/ssa-082556.html
cisa	www.cisa.gov/news-events/ics-advisories/icsa-23-348-10
cisa	www.cisa.gov/news-events/ics-advisories/icsa-25-162-05
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(503910);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/14");

  script_cve_id("CVE-2025-21724");
  script_xref(name:"ICSA", value:"25-162-05");
  script_xref(name:"ICSA", value:"23-348-10");

  script_name(english:"Siemens SIMATIC S7-1500 Improper Input Validation (CVE-2025-21724)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"iommufd/iova_bitmap: Fix shift-out-of-bounds in
iova_bitmap_offset_to_index(). Resolve a UBSAN shift-out-of-bounds
issue in iova_bitmap_offset_to_index() where shifting the constant 1
(of type int) by bitmap->mapped.pgshift (an unsigned long value) could
result in undefined behavior. The constant 1 defaults to a 32-bit
int, and when pgshift exceeds 31 (e.g., pgshift = 63) the shift
operation overflows, as the result cannot be represented in a 32-bit
type.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-082556.html");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-05");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens is preparing fixed versions and reports that currently, no fix is available.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To
operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens'
operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-082556 in HTML and CSAF.");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-21724");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(20);

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/06/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_s7-1500_cpu_firmware:3.1.5");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.5" :
        {"versionStartIncluding" : "3.1.5", "family" : "S71500", "orderNumbers" : ['6ES7518-4FX00-1AB0', '6ES7518-4AX00-1AC0', '6ES7518-4FX00-1AC0', '6ES7518-4AX00-1AB0']},
    "cpe:/o:siemens:siplus_s7-1500_cpu_firmware:3.1.5" :
        {"versionStartIncluding" : "3.1.5", "family" : "S71500", "orderNumbers" : ['6AG1518-4AX00-4AC0']}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);

14 Feb 2026 00:00Current

6.9Medium risk

Vulners AI Score6.9

CVSS 3.17.8

EPSS0.00026