PatchSiren cyber security CVE debrief
CVE-2025-27495 Siemens CVE debrief
CVE-2025-27495 is a critical Siemens TeleControl Server Basic issue involving SQL injection in the internally used CreateTrace method. According to the supplied CISA/Siemens advisory material, an unauthenticated remote attacker who can reach port 8000 on a vulnerable system may bypass authorization controls, read and write the database, and execute code as NT AUTHORITY\\NetworkService. Siemens and CISA list an update to V3.1.2.2 or later as the vendor fix, and the advisory also recommends restricting access to port 8000 to trusted IP addresses only.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
Siemens TeleControl Server Basic operators, OT/ICS administrators, network defenders, and any team exposing port 8000 on systems running this product should treat this as urgent.
Technical summary
The advisory describes a SQL injection flaw in the internally used CreateTrace method of Siemens TeleControl Server Basic. The attack path is network reachable and does not require authentication, but it does require access to port 8000 on a system running a vulnerable version. Successful exploitation can bypass authorization controls, enable database read/write access, and lead to code execution with NT AUTHORITY\\NetworkService permissions.
Defensive priority
Critical. The issue is remotely reachable, requires no authentication, and is documented as enabling authorization bypass, database compromise, and code execution. Exposure of port 8000 materially increases risk, so affected deployments should be reviewed and remediated immediately.
Recommended defensive actions
- Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
- Restrict access to port 8000 on affected systems to trusted IP addresses only.
- Verify whether any TeleControl Server Basic instances are reachable from untrusted networks and remove unnecessary exposure.
- Apply OT network segmentation and defense-in-depth controls consistent with CISA ICS recommended practices.
- Review the Siemens and CISA advisories for product-specific remediation guidance and operational considerations.
Evidence notes
The supplied CISA CSAF advisory for ICSA-25-112-01 states that TeleControl Server Basic is vulnerable to SQL injection via the CreateTrace method, that the attacker must be able to access port 8000, and that the issue can lead to authorization bypass, database read/write access, and code execution as NT AUTHORITY\\NetworkService. The advisory was published on 2025-04-16 and revised on 2025-05-06 for typo fixes only. The supplied enrichment marks the issue as not present in CISA KEV.
Official resources
-
CVE-2025-27495 CVE record
CVE.org
-
CVE-2025-27495 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-04-16 in CISA advisory ICSA-25-112-01; modified on 2025-05-06 for typo fixes. No KEV listing is indicated in the supplied data.