CVE-2025-32830 Siemens CVE debrief

Who should care

Operators and defenders responsible for Siemens TeleControl Server Basic, especially OT/ICS environments where port 8000 is reachable. Security teams should also pay attention if the product is deployed on Windows systems with broad network access or if authenticated remote users can reach the service.

Technical summary

The advisory describes a SQL injection condition in the internally used UnlockProject method of TeleControl Server Basic. The impact includes authorization bypass, database read/write access, and code execution with NT AUTHORITY\NetworkService permissions. Exploitation requires authenticated remote access and the ability to reach port 8000 on a host running a vulnerable version. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which aligns with a high-severity remote attack path.

Defensive priority

High

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Verify whether any vulnerable instance is reachable from untrusted networks or remote user segments and remove unnecessary exposure.
• Review affected systems for unexpected database changes or signs of unauthorized authenticated activity if exposure existed.
• Follow Siemens and CISA ICS defense-in-depth and recommended practices guidance for industrial control system environments.

Evidence notes

All substantive claims here come from the supplied CISA CSAF advisory for ICSA-25-112-01 and its referenced Siemens advisory materials. The advisory text explicitly identifies the UnlockProject SQL injection, the authenticated remote attack requirement, the need to access port 8000, the authorization-bypass and code-execution impacts, and the recommended fix to V3.1.2.2 or later. The revision history shows a 2025-05-06 update marked as typo fixes only.

Official resources