CVE-2025-27539 Siemens CVE debrief

Who should care

Organizations operating Siemens TeleControl Server Basic, especially deployments with port 8000 reachable from untrusted networks. OT/ICS security teams, system owners, and administrators responsible for patching or network restriction should treat this as high priority.

Technical summary

The issue is described as SQL injection in the internally used VerifyUser method. The exposed attack path is network-based and requires no authentication. Impact includes authorization bypass, database read/write access, and code execution with NT AUTHORITY\NetworkService permissions. The affected product is Siemens TeleControl Server Basic, and the vendor remediation specifies updating to V3.1.2.2 or later; interim mitigation is to restrict access to port 8000 to trusted IP addresses.

Defensive priority

Critical. The CVSS 3.1 vector is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), and the advisory describes unauthenticated remote impact with potential code execution. Prioritize patching or strict network access control immediately.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Identify all TeleControl Server Basic deployments and confirm whether any are reachable from untrusted networks.
• Review segmentation and firewall rules around OT/ICS management interfaces exposed to port 8000.
• Validate remediation after patching and monitor for unexpected access attempts against the service.

Evidence notes

The supplied source corpus is a CISA CSAF advisory (ICSA-25-112-01) for CVE-2025-27539, referencing Siemens advisory SSA-443402. The advisory text states the VerifyUser SQL injection impact and the port 8000 access requirement. Publication date is 2025-04-16, with a revision on 2025-05-06 that only fixed typos. The supplied enrichment marks this as not a KEV-listed vulnerability.

Official resources