CVE-2025-31352 Siemens CVE debrief

Who should care

Operators of Siemens TeleControl Server Basic, OT/ICS administrators, security teams protecting systems exposed on port 8000, and incident responders responsible for Windows-based industrial control environments.

Technical summary

The affected application is vulnerable in the internally used UpdateGateways method, where SQL injection can be triggered over the network. The documented impact includes authorization bypass, database read/write access, and code execution with NT AUTHORITY\NetworkService permissions. The advisory states that successful exploitation requires access to port 8000 on a system running a vulnerable version of TeleControl Server Basic.

Defensive priority

High priority

Recommended defensive actions

• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Upgrade Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Inventory any exposed TeleControl Server Basic instances and verify they are not reachable from untrusted networks.
• Review OT network segmentation and firewall rules around industrial control assets.
• Monitor for unusual database activity or service behavior on systems running the affected product.

Evidence notes

This debrief is based only on the supplied CISA CSAF advisory record and the referenced Siemens/CISA official advisory links. The source data states the vulnerability is an SQL injection in the internal UpdateGateways method, affects Siemens TeleControl Server Basic, requires authenticated remote access and port 8000 reachability, and can lead to authorization bypass, database manipulation, and code execution as NT AUTHORITY\NetworkService. The supplied revision history shows the advisory was published on 2025-04-16 and revised on 2025-05-06 for typo fixes.

Official resources