CVE-2025-30031 Siemens CVE debrief

Who should care

Operators and defenders responsible for Siemens TeleControl Server Basic, especially in OT/ICS environments where port 8000 may be reachable from non-trusted networks. Security teams handling Windows-based control server exposure, segmentation, and patch management should prioritize it.

Technical summary

The advisory states that UpdateUsers is vulnerable to SQL injection. Exploitation requires an authenticated remote attacker who can reach the service on port 8000. Successful exploitation can bypass authorization, expose and modify application database contents, and execute code with NT AUTHORITY\NetworkService permissions. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8 High).

Defensive priority

High — prioritize for systems where port 8000 is reachable beyond tightly controlled trust boundaries, and apply the vendor fix promptly.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Reduce exposure of the service to the minimum necessary network segments and trust zones.
• Follow CISA ICS recommended practices and defense-in-depth guidance for industrial control environments.

Evidence notes

The provided source corpus includes both the Siemens advisory reference (SSA-443402) and the CISA CSAF advisory (ICSA-25-112-01), which consistently describe the vulnerable UpdateUsers method, the authenticated remote attack requirement, the port 8000 exposure condition, and the remediation steps. The source timeline shows publication on 2025-04-16 and a later 2025-05-06 revision for typo fixes. The supplied enrichment indicates no CISA KEV listing for this CVE.

Official resources