CVE-2025-27540 Siemens CVE debrief

Who should care

OT/ICS defenders, Siemens TeleControl Server Basic administrators, network/security teams protecting systems exposed on TCP/8000, and any organization running the affected product in a reachable network segment.

Technical summary

The vulnerability is described as SQL injection in the internally used Authenticate method. The impact stated in the advisory includes authorization bypass, database read/write access, and remote code execution with NT AUTHORITY\NetworkService permissions. The attack requires network access to port 8000 on a system running a vulnerable version of the application.

Defensive priority

Critical — prioritize immediate patching or, if patching is not yet possible, restrict exposure of TCP/8000 to trusted sources only.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to TCP port 8000 on affected systems to trusted IP addresses only.
• Inventory all TeleControl Server Basic deployments and confirm whether any instances are reachable from untrusted networks.
• Review Siemens advisory guidance and CISA ICS recommended practices for additional hardening and network segmentation steps.

Evidence notes

Primary evidence comes from the CISA CSAF advisory ICSA-25-112-01 and Siemens product security notice SSA-443402. The supplied advisory text states the SQL injection location (Authenticate), the required network access condition (port 8000), the impact (authorization bypass, database access, and code execution as NT AUTHORITY\NetworkService), and the vendor remediation (V3.1.2.2 or later plus access restriction to port 8000).

Official resources