CVE-2025-31353 Siemens CVE debrief

Who should care

OT/ICS operators running Siemens TeleControl Server Basic, administrators responsible for hosts exposing port 8000, security teams monitoring authenticated access paths, and incident responders supporting affected industrial environments.

Technical summary

The issue is an SQL injection in the UpdateOpcSettings method of Siemens TeleControl Server Basic. The attack requires authenticated remote access and reachability to port 8000. Successful exploitation can affect authorization boundaries, database integrity/confidentiality, and process execution under the NetworkService account.

Defensive priority

High. Treat as urgent on any system where port 8000 is reachable from untrusted networks or where TeleControl Server Basic remains unpatched.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 to trusted IP addresses only.
• Verify firewall, VPN, and segmentation controls so the service is not exposed beyond intended management networks.
• Review affected systems for unexpected database changes, failed authentication attempts, or other anomalous activity consistent with misuse of an authenticated interface.
• Follow CISA ICS recommended practices and defense-in-depth guidance for network segmentation and access control.

Evidence notes

Direct evidence comes from the CISA CSAF advisory ICSA-25-112-01 and the linked Siemens advisory SSA-443402. The advisory text states that the vulnerability is a SQL injection in UpdateOpcSettings, reachable by an authenticated remote attacker over port 8000, with impacts including authorization bypass, database read/write, and code execution as NT AUTHORITY\NetworkService. The source metadata records publication on 2025-04-16 and a 2025-05-06 revision for typo fixes. The supplied enrichment data shows the item is not listed in CISA KEV.

Official resources