PatchSiren cyber security CVE debrief
CVE-2025-31343 Siemens CVE debrief
CVE-2025-31343 is a high-severity SQL injection issue in Siemens TeleControl Server Basic, disclosed on 2025-04-16 and later revised on 2025-05-06 for typo fixes. The flaw is in the internally used UpdateTcmSettings method and can let an authenticated remote attacker bypass authorization controls, access the database, and potentially execute code as NT AUTHORITY\NetworkService if the vulnerable service is reachable on port 8000.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
Operators and defenders responsible for Siemens TeleControl Server Basic, especially environments where the service is exposed on TCP port 8000 or reachable from less-trusted networks. Security teams should prioritize systems that handle sensitive operational data or that cannot easily tolerate unauthorized database access or service-level code execution.
Technical summary
The supplied advisory describes a network-reachable SQL injection in TeleControl Server Basic's internal UpdateTcmSettings method. Successful exploitation requires authentication and access to port 8000 on a system running a vulnerable version. Impact includes authorization bypass, read/write access to the application's database, and code execution under the NT AUTHORITY\NetworkService account. The recommended fix is to update to V3.1.2.2 or later; Siemens also recommends restricting port 8000 to trusted IP addresses only.
Defensive priority
High. The CVSS score is 8.8 (HIGH), the attack is network-reachable, and the impact includes code execution and full database compromise. Although exploitation requires authentication and port 8000 access, the potential blast radius is significant in OT-adjacent environments.
Recommended defensive actions
- Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
- Restrict TCP port 8000 to trusted IP addresses only.
- Review authentication and access paths that can reach the service on port 8000.
- Monitor for unusual database activity or unexpected changes associated with UpdateTcmSettings-related workflows.
- Apply standard OT defense-in-depth controls and segmentation around the affected system.
Evidence notes
All material facts are drawn from the supplied CISA CSAF advisory for ICSA-25-112-01 and the linked Siemens remediation guidance. The advisory states the issue is an SQL injection in UpdateTcmSettings, requires authenticated remote access and port 8000 reachability, and can lead to authorization bypass, database read/write, and code execution as NT AUTHORITY\NetworkService. The supplied enrichment marks the issue as not KEV-listed.
Official resources
-
CVE-2025-31343 CVE record
CVE.org
-
CVE-2025-31343 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-04-16; revised on 2025-05-06 for typo fixes. The supplied enrichment does not indicate Known Exploited Vulnerabilities listing.