PatchSiren cyber security CVE debrief
CVE-2025-30002 Siemens CVE debrief
CVE-2025-30002 is a high-severity SQL injection issue in Siemens TeleControl Server Basic. According to the CISA CSAF advisory, the flaw is in the internally used UpdateConnectionVariables method and can let an authenticated remote attacker bypass authorization controls, read from and write to the application's database, and execute code as NT AUTHORITY\NetworkService. Successful exploitation requires network access to port 8000 on a vulnerable system. Siemens and CISA list an update to V3.1.2.2 or later and access restriction on port 8000 as the primary defensive steps.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
Organizations running Siemens TeleControl Server Basic, especially OT/ICS operators, system owners, and defenders responsible for network segmentation, host hardening, and patch management on systems exposing port 8000.
Technical summary
The advisory describes a SQL injection condition in the internally used UpdateConnectionVariables method. The attack requires an authenticated remote attacker with reachability to port 8000 on a vulnerable instance. Impact includes authorization bypass, database read/write access, and code execution under the NT AUTHORITY\NetworkService account. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting network reachability, low attack complexity, and high confidentiality, integrity, and availability impact.
Defensive priority
High. The issue is remotely reachable, requires authentication but no user interaction, and can lead to full application-level compromise with code execution in an OT product. Prioritize patching and exposure reduction promptly, especially where port 8000 is reachable beyond tightly controlled internal segments.
Recommended defensive actions
- Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
- Restrict access to port 8000 on affected systems to trusted IP addresses only.
- Verify whether any affected instances are exposed beyond the intended management network.
- Apply OT network segmentation and least-privilege access controls consistent with CISA ICS recommended practices.
- Review logs for unusual authentication attempts, database activity, or unexpected service behavior on affected hosts.
Evidence notes
The source corpus identifies Siemens TeleControl Server Basic as the affected product, with CISA CSAF advisory ICSA-25-112-01 published on 2025-04-16 and revised on 2025-05-06 for typo fixes. The advisory text explicitly states the SQL injection path, the need for authenticated remote access, the port 8000 requirement, and the potential for code execution as NT AUTHORITY\NetworkService. The supplied enrichment marks this as not KEV-listed.
Official resources
-
CVE-2025-30002 CVE record
CVE.org
-
CVE-2025-30002 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-04-16 through CISA ICS Advisory ICSA-25-112-01 and the associated Siemens advisory; the source record was revised on 2025-05-06 for typo fixes.