CVE-2025-32826 Siemens CVE debrief

Who should care

Organizations running Siemens TeleControl Server Basic, especially any deployment exposed on port 8000 or reachable from untrusted networks. OT/ICS operators, Windows administrators, and teams responsible for asset inventory, firewall rules, and patch management should prioritize review.

Technical summary

The advisory describes SQL injection in the internally used GetActiveProjects method. The vulnerable path is reachable by an authenticated remote attacker with network access to port 8000. Impact includes authorization bypass, database read/write access, and code execution under the NT AUTHORITY\\NetworkService account. CISA lists the issue at CVSS 3.1 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Defensive priority

High. This is an exploitable network-reachable weakness with potential for database compromise and code execution. Prioritize if TeleControl Server Basic is deployed in production or exposed beyond a tightly controlled management network.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Verify which hosts run TeleControl Server Basic and whether any instance is reachable from user, contractor, or Internet-facing networks.
• Review authentication, firewall, and segmentation controls around the TeleControl Server Basic service.
• Check for unexpected database activity or service behavior on vulnerable hosts until remediation is complete.

Evidence notes

The affected product, vulnerability mechanism, impact, and remediation are taken from the CISA CSAF advisory ICSA-25-112-01 and the linked Siemens product security advisory. The advisory was published on 2025-04-16 and later revised on 2025-05-06 for typo fixes only, per the supplied timeline. No exploit details beyond the advisory description are included.

Official resources