#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(505282);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/24");
script_cve_id("CVE-2025-38470");
script_name(english:"Siemens SIMATIC S7-1500 Improper Input Validation (CVE-2025-38470)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"In the Linux kernel, the following vulnerability has been resolved:
net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during
runtime Assuming the rx-vlan-filter feature is enabled on a net
device, the 8021q module will automatically add or remove VLAN 0 when
the net device is put administratively up or down, respectively.
There are a couple of problems with the above scheme. The first
problem is a memory leak that can happen if the rx-vlan-filter
feature is disabled while the device is running: # ip link add
bond1 up type bond mode 0 # ethtool -K bond1 rx-vlan-filter off #
ip link del dev bond1 When the device is put administratively down
the rx-vlan-filter feature is disabled, so the 8021q module will
not remove VLAN 0 and the memory will be leaked [1]. Another
problem that can happen is that the kernel can automatically delete
VLAN 0 when the device is put administratively down despite not
adding it when the device was put administratively up since during
that time the rx-vlan-filter feature was disabled. null-ptr-unref
or bug_on[2] will be triggered by unregister_vlan_dev() for refcount
imbalance if toggling filtering during runtime: $ ip link add bond0
type bond mode 0 $ ip link add link bond0 name vlan0 type vlan id 0
protocol 802.1q $ ethtool -K bond0 rx-vlan-filter off $ ifconfig
bond0 up $ ethtool -K bond0 rx-vlan-filter on $ ifconfig bond0 down
$ ip link del vlan0 Root cause is as below: step1: add vlan0 for
real_dev, such as bond, team. register_vlan_dev
vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1 step2: disable
vlan filter feature and enable real_dev step3: change filter from 0
to 1 vlan_device_event vlan_filter_push_vids
ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0 step4:
real_dev down vlan_device_event vlan_vid_del(dev,
htons(ETH_P_8021Q), 0); //refcnt=0 vlan_info_rcu_free //free
vlan0 step5: delete vlan0 unregister_vlan_dev
BUG_ON(!vlan_info); //vlan_info is null Fix both problems by noting
in the VLAN info whether VLAN 0 was automatically added upon
NETDEV_UP and based on that decide whether it should be deleted upon
NETDEV_DOWN, regardless of the state of the rx-vlan-filter feature.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-082556.html");
script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-38470");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(20);
script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/10");
script_set_attribute(attribute:"patch_publication_date", value:"2025/06/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/23");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_s7-1500_cpu_firmware");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_cpes = {
"cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.5" :
{"versionStartIncluding" : "3.1.5", "family" : "S71500", "orderNumbers" : ['6ES7518-4AX00-1AC0', '6ES7518-4FX00-1AC0', '6ES7518-4AX00-1AB0', '6ES7518-4FX00-1AB0']},
"cpe:/o:siemens:siplus_s7-1500_cpu_firmware" :
{"family" : "S71500", "orderNumbers" : ['6AG1518-4AX00-4AC0']}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation