CVE-2025-32823 Siemens CVE debrief

Who should care

Operators and administrators of Siemens TeleControl Server Basic, OT/ICS security teams, and defenders responsible for systems where port 8000 is reachable.

Technical summary

According to the CISA CSAF advisory and Siemens references, the internally used LockProject method is vulnerable to SQL injection. Successful exploitation requires authentication and network access to port 8000 on a vulnerable system. The reported impact includes authorization bypass, database read/write access, and code execution under NT AUTHORITY\\NetworkService. The supplied remediation states that Siemens fixed the issue in V3.1.2.2 or later and recommends restricting access to port 8000 to trusted IP addresses.

Defensive priority

High. The issue combines authenticated network access, authorization bypass, database compromise, and code execution, so remediation should be prioritized on any exposed deployment.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to TCP port 8000 on affected systems to trusted IP addresses only.
• Confirm whether any vulnerable instances are reachable from untrusted networks and isolate them if patching is delayed.
• Use CISA industrial control system defense-in-depth and recommended-practices guidance to reduce exposure around the affected service.

Evidence notes

Primary facts come from the supplied CISA CSAF advisory ICSA-25-112-01 and its Siemens references. The advisory was published on 2025-04-16 and revised on 2025-05-06 for typo fixes only. The source text explicitly states the SQL injection resides in the LockProject method, requires authenticated remote access to port 8000, and can lead to authorization bypass, database read/write, and code execution with NT AUTHORITY\\NetworkService permissions. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H with a score of 8.8.

Official resources