PatchSiren cyber security CVE debrief
CVE-2025-32822 Siemens CVE debrief
CVE-2025-32822 is a high-severity SQL injection issue in Siemens TeleControl Server Basic. According to the supplied CISA/Siemens advisory material, an authenticated remote attacker who can reach port 8000 on a vulnerable system may bypass authorization controls, read and write the application's database, and potentially execute code as NT AUTHORITY\NetworkService. Siemens and CISA list remediation by updating to V3.1.2.2 or later and by restricting access to port 8000 to trusted IP addresses only.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
OT/ICS operators running Siemens TeleControl Server Basic, security teams responsible for industrial Windows hosts, and network defenders who can control exposure of port 8000 should prioritize this advisory. It matters most where the service is reachable from untrusted networks or where authenticated users are not tightly restricted.
Technical summary
The supplied advisory describes a SQL injection vulnerability in the internally used DeleteProject method of Siemens TeleControl Server Basic. The issue is network-reachable and requires an authenticated attacker with access to port 8000 on a vulnerable host. Successful exploitation may allow authorization bypass, database read/write access, and code execution with NT AUTHORITY\NetworkService permissions. The advisory was published on 2025-04-16 and later revised on 2025-05-06 for typo fixes, with no change to the core risk summary in the supplied corpus.
Defensive priority
High. This is a remote, authenticated, network-reachable vulnerability with potential code execution and full database impact. Even though it is not listed in KEV in the supplied enrichment, the combination of SQL injection and service-level execution rights warrants prompt containment and patching.
Recommended defensive actions
- Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
- Restrict access to port 8000 on affected systems to trusted IP addresses only.
- Confirm whether any vulnerable instances are reachable from untrusted networks or shared OT segments.
- Review authentication and account usage around the affected service for unexpected activity.
- Monitor for unusual database changes, failed authorization events, and process activity under NT AUTHORITY\NetworkService.
- Follow Siemens and CISA guidance in the linked advisories and ICS recommended practices.
Evidence notes
All statements above are taken from the supplied CISA CSAF advisory for ICSA-25-112-01 and its referenced Siemens security advisory. The advisory publication date is 2025-04-16 and the revision date is 2025-05-06; the revision history in the corpus states the later update fixed typos. The enrichment provided no KEV assignment.
Official resources
-
CVE-2025-32822 CVE record
CVE.org
-
CVE-2025-32822 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by CISA and Siemens on 2025-04-16; revised on 2025-05-06 for typo fixes. No KEV entry was provided in the supplied corpus.