CVE-2025-32835 Siemens CVE debrief

Who should care

OT/ICS administrators, Siemens TeleControl Server Basic operators, defenders responsible for host-based and network segmentation controls, and teams managing authenticated access to systems that expose port 8000.

Technical summary

The supplied advisory describes a SQL injection weakness in the internal UpdateConnectionVariableArchivingBuffering method of Siemens TeleControl Server Basic. The stated impact includes authorization bypass, database read/write access, and code execution with NT AUTHORITY\NetworkService permissions. The attack requires authenticated access and network reachability to port 8000 on a system running a vulnerable version.

Defensive priority

High priority. The combination of authenticated remote access, database compromise, and code execution potential warrants rapid remediation, especially where port 8000 is exposed beyond trusted administrative networks.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Audit exposed systems for unexpected authentication attempts, database changes, or service activity tied to TeleControl Server Basic.
• Apply ICS network segmentation and defense-in-depth practices to reduce exposure of management services.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-112-01 (source item) and the Siemens security advisory SSA-443402 referenced in the provided corpus. The advisory text explicitly states the SQL injection condition, the need for authenticated remote access, the port 8000 prerequisite, and the NT AUTHORITY\NetworkService execution context. The 2025-05-06 modification in the supplied timeline is recorded as typo fixes, not a substantive change in the vulnerability description.

Official resources