PatchSiren cyber security CVE debrief
CVE-2025-32824 Siemens CVE debrief
CVE-2025-32824 affects Siemens TeleControl Server Basic and is described as an SQL injection issue in the internally used UnlockProject method. According to the advisory, an authenticated remote attacker with network access to port 8000 on a vulnerable system could bypass authorization controls, read and write the application's database, and execute code as NT AUTHORITY\NetworkService. Siemens and CISA list a vendor fix in V3.1.2.2 or later, and the advisory also recommends restricting access to port 8000 to trusted IP addresses only.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
OT and ICS defenders running Siemens TeleControl Server Basic, especially teams responsible for perimeter access control, Windows service hardening, patch management, and any environment where port 8000 is reachable from untrusted networks.
Technical summary
The source advisory identifies a SQL injection weakness in an internal UnlockProject method in Siemens TeleControl Server Basic. The impact is high: the attacker needs authentication, but once authorized and able to reach port 8000, they may bypass authorization checks, interact with the database in read/write mode, and potentially achieve code execution under the NetworkService account. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which aligns with a network-reachable, low-complexity, high-impact issue. The advisory was published on 2025-04-16 and later revised on 2025-05-06 for typo fixes only.
Defensive priority
High. Treat as a priority remediation for any exposed or remotely reachable TeleControl Server Basic deployment, especially where port 8000 is not tightly restricted.
Recommended defensive actions
- Upgrade Siemens TeleControl Server Basic to V3.1.2.2 or later.
- Restrict access to port 8000 on affected systems to trusted IP addresses only.
- Verify that no unauthenticated or broad network paths can reach the affected service.
- Review logs for unexpected access to the TeleControl Server Basic interface and any abnormal database activity.
- Apply OT network segmentation and least-privilege access controls consistent with CISA ICS recommended practices.
- Validate that the NetworkService account and host hardening baseline are appropriate for the environment.
Evidence notes
This debrief is based only on the supplied CISA CSAF advisory and the Siemens advisory references it lists. The advisory explicitly names Siemens TeleControl Server Basic as the affected product, states that the issue is SQL injection in the UnlockProject method, and gives the impact and access conditions. The remediation guidance in the corpus is to update to V3.1.2.2 or later and to restrict port 8000 to trusted IP addresses. The source timeline shows initial publication on 2025-04-16 and a later 2025-05-06 revision that corrected typos. No KEV entry is indicated in the supplied data.
Official resources
-
CVE-2025-32824 CVE record
CVE.org
-
CVE-2025-32824 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-25-112-01 / CVE-2025-32824 on 2025-04-16. The source corpus shows a later revision on 2025-05-06 that corrected typos only. The supplied data does not indicate KEV inclusion.