PatchSiren cyber security CVE debrief
CVE-2025-29931 Siemens CVE debrief
CVE-2025-29931 is a low-severity issue in Siemens TeleControl Server Basic where a serialized message length field is not properly validated, allowing memory exhaustion during deserialization. The impact is a partial denial of service, not code execution or data compromise. Exploitation is narrowly constrained: it is described as possible only in redundant Telecontrol Server Basic setups and only when the connection between the redundant servers has been disrupted.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
Siemens TeleControl Server Basic operators, especially environments using redundant server setups. Teams responsible for ICS availability, redundancy design, and patching should pay attention if the product is deployed in a way that matches the advisory conditions.
Technical summary
The advisory describes an unauthenticated remote denial-of-service condition caused by improper validation of a length field in a serialized message. The product uses that field to determine how much memory to allocate during deserialization, and a crafted value can drive excessive memory allocation. The issue is conditionally exploitable: the advisory says it applies only to redundant Telecontrol Server Basic setups and only when the link between the redundant servers has been disrupted. Siemens provides a fix in V3.1.2.2 or later and also recommends disabling redundancy if it is not used.
Defensive priority
Low to moderate priority overall, but higher priority for any site running Telecontrol Server Basic in a redundant configuration. Because exploitation requires a specific deployment state and network disruption between redundant servers, this is not a broad exposure; however, availability impact in OT environments can still be operationally meaningful.
Recommended defensive actions
- Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
- Disable Telecontrol Server Basic redundancy if it is not used.
- Confirm whether your deployment matches the advisory's affected condition: redundant setup plus disrupted inter-server connection.
- Review Siemens and CISA industrial-control-systems defensive guidance for segmentation, monitoring, and defense-in-depth.
- Validate patching and configuration changes in an OT-safe maintenance window before production rollout.
Evidence notes
All substantive claims above are drawn from the supplied CISA CSAF advisory record ICSA-25-112-02 and its linked Siemens references. The record states the vulnerability affects Siemens TeleControl Server Basic, was published on 2025-04-16 and revised on 2025-05-06, and includes remediation to update to V3.1.2.2 or later or disable redundancy if not used. The advisory also states that exploitation is only possible in redundant setups and only if the connection between redundant servers has been disrupted. No KEV listing was provided in the source corpus.
Official resources
-
CVE-2025-29931 CVE record
CVE.org
-
CVE-2025-29931 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA CSAF advisory ICSA-25-112-02 for CVE-2025-29931 was published on 2025-04-16 and revised on 2025-05-06 with a revision note indicating typo fixes. The supplied data does not list the CVE in KEV.