Lucene search
+L

Siemens SIMATIC S7-1500 Improper Locking (CVE-2025-39773)

🗓️ 16 Feb 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 12 Views

Siemens S7 1500 improper locking CVE-2025-39773: bridge multicast timer overflow causes soft lockup; fix bounds.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(505167);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/17");

  script_cve_id("CVE-2025-39773");

  script_name(english:"Siemens SIMATIC S7-1500 Improper Locking (CVE-2025-39773)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"In the Linux kernel, the following vulnerability has been resolved:
net: bridge: fix soft lockup in br_multicast_query_expired()    When
set multicast_query_interval to a large value, the local variable
'time' in br_multicast_send_query() may overflow. If the time is
smaller  than jiffies, the timer will expire immediately, and then
call mod_timer()  again, which creates a loop and may trigger the
following soft lockup  issue.      watchdog: BUG: soft lockup - CPU#1
stuck for 221s! [rb_consumer:66]    CPU: 1 UID: 0 PID: 66 Comm:
rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none)    Call Trace:
<IRQ>     __netdev_alloc_skb+0x2e/0x3a0
br_ip6_multicast_alloc_query+0x212/0x1b70
__br_multicast_send_query+0x376/0xac0
br_multicast_send_query+0x299/0x510
br_multicast_query_expired.constprop.0+0x16d/0x1b0
call_timer_fn+0x3b/0x2a0     __run_timers+0x619/0x950
run_timer_softirq+0x11c/0x220     handle_softirqs+0x18e/0x560
__irq_exit_rcu+0x158/0x1a0     sysvec_apic_timer_interrupt+0x76/0x90
</IRQ>    This issue can be reproduced with:    ip link add br0 type
bridge    echo 1 > /sys/class/net/br0/bridge/multicast_querier    echo
0xffffffffffffffff >
/sys/class/net/br0/bridge/multicast_query_interval    ip link set dev
br0 up    The multicast_startup_query_interval can also cause this
issue. Similar to  the commit 99b40610956a (net: bridge: mcast: add
and enforce query  interval minimum), add check for the query
interval maximum to fix this  issue.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-082556.html");
  script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-39773");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(667);

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/06/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/02/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siplus_s7-1500_cpu_firmware:3.1.5");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_s7-1500_cpu_firmware:3.1.5" :
        {"versionStartIncluding" : "3.1.5", "family" : "S71500", "orderNumbers" : ['6ES7518-4AX00-1AB0', '6ES7518-4FX00-1AC0', '6ES7518-4AX00-1AC0', '6ES7518-4FX00-1AB0']},
    "cpe:/o:siemens:siplus_s7-1500_cpu_firmware:3.1.5" :
        {"versionStartIncluding" : "3.1.5", "family" : "S71500", "orderNumbers" : ['6AG1518-4AX00-4AC0']}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Feb 2026 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.15.5
EPSS0.00112
12