CVE-2025-30030 Siemens CVE debrief

Who should care

Organizations running Siemens TeleControl Server Basic, especially OT/ICS operators, administrators who expose or route traffic to port 8000, and defenders responsible for segmentation, access control, and patching of industrial systems.

Technical summary

The affected application is vulnerable through its internally used ImportDatabase method. The vulnerability is described as SQL injection with CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The advisory states that exploitation requires authenticated remote access and connectivity to port 8000 on a system running a vulnerable version. Successful exploitation can lead to authorization bypass, database read/write access, and code execution under NT AUTHORITY\NetworkService.

Defensive priority

High: this is network-reachable, requires authentication but no user interaction, and can lead to full confidentiality, integrity, and availability impact plus code execution in an OT-adjacent product.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Review any network exposure of the service and remove unnecessary reachability from untrusted networks.
• Apply standard ICS defense-in-depth and segmentation practices around the affected host and service.
• Validate that only authorized users can reach the application until remediation is complete.

Evidence notes

All claims are grounded in the supplied CISA CSAF advisory ICSA-25-112-01 and its linked Siemens advisory SSA-443402. The source explicitly states the SQL injection path, the authenticated remote attacker requirement, the port 8000 condition, the NetworkService execution context, and the remediation to V3.1.2.2 or later. The CVE was published on 2025-04-16 and modified on 2025-05-06; the modification note says it was a typo fix.

Official resources