CVE-2025-21001
CriticalActively ExploitedSiemens SIMATIC S7-1500 Remote Code Execution
ACTIVELY EXPLOITED IN THE WILD
APT-RELATED
CRITICAL INFRASTRUCTURE
9.8
CVSS v3.1 Base Score
Critical severity — Immediate action required
AV: Network AC: LowAuth: None
This CVE represents a critical risk to any Siemens S7-1500 deployment. The vulnerability requires no authentication and is exploitable over the network via port 102 (ISO-TSAP). Active exploitation has been confirmed by multiple threat intelligence sources, with at least one APT group incorporating this into OT-targeting toolkits. Immediate patching or network isolation is essential. Business impact includes potential production shutdown, safety system compromise, and loss of process visibility.
Status
Actively Exploited
Complexity
Low
Auth Required
No
Initial Access
Direct network access to PLC communication port (TCP/102)
Threat Actors / APT Groups
CHERNOVITEXENOTIME
Known Techniques
- Malformed S7comm++ packet with oversized PDU header
- Heap spray via repeated connection setup/teardown
- Shellcode injection through crafted write operations
Published:2025-01-15
Modified:2025-02-01
Vendor:Siemens
CWE:CWE-787
Out-of-bounds Write
Risk Summary
Overall RiskCritical
ExploitationActively Exploited
DetectionHigh coverage
Detection Rate97%
Rules Available3
Industry Sectors
Threat Actors
CHERNOVITE
XENOTIME