Lucene search
+L

Siemens SIMATIC S7-1500 Improper Input Validation (CVE-2025-38470)

🗓️ 23 Mar 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 5 Views

Linux VLAN refcount imbalance leaks memory and trigger null pointer checks.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(505282);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/24");

  script_cve_id("CVE-2025-38470");

  script_name(english:"Siemens SIMATIC S7-1500 Improper Input Validation (CVE-2025-38470)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"In the Linux kernel, the following vulnerability has been resolved:
net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during
runtime    Assuming the rx-vlan-filter feature is enabled on a net
device, the  8021q module will automatically add or remove VLAN 0 when
the net device  is put administratively up or down, respectively.
There are a couple of  problems with the above scheme.    The first
problem is a memory leak that can happen if the rx-vlan-filter
feature is disabled while the device is running:     # ip link add
bond1 up type bond mode 0   # ethtool -K bond1 rx-vlan-filter off   #
ip link del dev bond1    When the device is put administratively down
the rx-vlan-filter  feature is disabled, so the 8021q module will
not remove VLAN 0 and the  memory will be leaked [1].    Another
problem that can happen is that the kernel can automatically  delete
VLAN 0 when the device is put administratively down despite not
adding it when the device was put administratively up since during
that  time the rx-vlan-filter feature was disabled. null-ptr-unref
or  bug_on[2] will be triggered by unregister_vlan_dev() for refcount
imbalance if toggling filtering during runtime:    $ ip link add bond0
type bond mode 0  $ ip link add link bond0 name vlan0 type vlan id 0
protocol 802.1q  $ ethtool -K bond0 rx-vlan-filter off  $ ifconfig
bond0 up  $ ethtool -K bond0 rx-vlan-filter on  $ ifconfig bond0 down
$ ip link del vlan0    Root cause is as below:  step1: add vlan0 for
real_dev, such as bond, team.  register_vlan_dev
vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1  step2: disable
vlan filter feature and enable real_dev  step3: change filter from 0
to 1  vlan_device_event      vlan_filter_push_vids
ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0  step4:
real_dev down  vlan_device_event      vlan_vid_del(dev,
htons(ETH_P_8021Q), 0); //refcnt=0          vlan_info_rcu_free //free
vlan0  step5: delete vlan0  unregister_vlan_dev
BUG_ON(!vlan_info); //vlan_info is null    Fix both problems by noting
in the VLAN info whether VLAN 0 was  automatically added upon
NETDEV_UP and based on that decide whether it  should be deleted upon
NETDEV_DOWN, regardless of the state of the  rx-vlan-filter feature.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-082556.html");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-38470");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20);

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/06/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/23");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_s7-1500_cpu_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.5" :
        {"versionStartIncluding" : "3.1.5", "family" : "S71500", "orderNumbers" : ['6ES7518-4AX00-1AC0', '6ES7518-4FX00-1AC0', '6ES7518-4AX00-1AB0', '6ES7518-4FX00-1AB0']},
    "cpe:/o:siemens:siplus_s7-1500_cpu_firmware" :
        {"family" : "S71500", "orderNumbers" : ['6AG1518-4AX00-4AC0']}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

24 Mar 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.15.5
EPSS0.00162
5