A high-severity vulnerability (CVE-2025-23363) in the Siemens Teamcenter product lifecycle management (PLM) software could allow an attacker to steal users’ valid session data and gain unauthorized access to the vulnerable application.
About CVE-2025-23363
Siemens Teamcenter is a suite of applications that is used by businesses to manage the entire lifecycle of a product, from initial concept to design, manufacturing, service, and eventual disposal.
CVE-2025-23363 is an open redirect vulnerability in Teamcenter’s single sign-on (SSO) login service. In affected applications – currently all versions of Siemens Teamcenter – the service accepts user-controlled input that could specify a link to an external site.
This may allow an attacker to craft a link to redirect the legitimate user to an attacker-chosen URL to steal valid session data.
“For a successful exploit, the legitimate user must actively click on an attacker-crafted link,” the company noted.
What to do until the fix is ready?
Privately reported by Nicolo Vinci and ostensibly fixed by Siemens earlier this month, CVE-2025-23363 is still exploitable because the implemented fix was pulled for being “insufficient”.
“As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for Industrial Security and to follow the recommendations in the product manuals,” the company added.
The company is working on a new fix for CVE-2025-23363. In the meantime, users have been advised to avoid clicking on links from untrusted sources.
Siemens Teamcenter is used by organizations in various industries, including aerospace and defense, automotive and transportation, industrial machine manufacturing, and information technology and electronics. According to Enlyft, 46% of Siemens Teamcenter customers are in United States, 7% are in Germany, 7% are in India and 6% are in United Kingdom.
