CVE-2025-31351 Siemens CVE debrief

Who should care

Siemens TeleControl Server Basic administrators, OT/ICS operators, SOC and network teams, and incident responders should prioritize this issue, especially where port 8000 is reachable from untrusted networks.

Technical summary

The advisory describes a SQL injection flaw in the internally used CreateProject method. Attackers must be authenticated and able to access port 8000 on the affected host. The stated impact includes authorization bypass, database read/write access, and possible code execution with NT AUTHORITY\NetworkService permissions. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, scored 8.8 (HIGH).

Defensive priority

High

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 so only trusted IP addresses can reach the service.
• Audit exposed TeleControl Server Basic instances to confirm version and network exposure.
• Review logs and database activity for unexpected requests against the CreateProject workflow.
• Treat exposed installations as high priority until patched, especially in OT environments.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-112-01 for Siemens TeleControl Server Basic and the related Siemens advisory references. The source text explicitly states the SQL injection location, the authenticated remote attacker requirement, the port 8000 exposure condition, the potential impacts, and the vendor remediation to V3.1.2.2 or later. The supplied timeline shows publication on 2025-04-16 and a 2025-05-06 revision that only fixed typos.

Official resources