PatchSiren cyber security CVE debrief
CVE-2025-32837 Siemens CVE debrief
CVE-2025-32837 is a high-severity SQL injection issue in Siemens TeleControl Server Basic. According to the advisory, an authenticated remote attacker who can reach the application on port 8000 may bypass authorization controls, read and write the application's database, and potentially execute code with NT AUTHORITY\NetworkService permissions. Siemens and CISA list a vendor fix in V3.1.2.2 or later and recommend restricting access to port 8000 to trusted IP addresses until systems are updated.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
Organizations running Siemens TeleControl Server Basic, especially OT and industrial environments where port 8000 is reachable from non-trusted networks. Security teams, asset owners, and operators responsible for network segmentation, remote access control, and patch management should prioritize this advisory.
Technical summary
The advisory describes an SQL injection in the internally used GetActiveConnectionVariables method. The issue is reachable over the network and requires attacker authentication plus access to port 8000 on a vulnerable system. Successful exploitation can lead to authorization bypass, database read/write access, and code execution under NT AUTHORITY\NetworkService. The advisory assigns CVSS 3.1 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Defensive priority
High. The combination of network reachability, authenticated exploitation, and potential code execution in an OT-related product makes this a priority fix, particularly where port 8000 is exposed beyond tightly controlled administrative networks.
Recommended defensive actions
- Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
- Restrict access to port 8000 on affected systems to trusted IP addresses only.
- Review network segmentation and remote access paths to ensure the service is not broadly reachable.
- Validate whether any systems are running affected versions and inventory them for expedited remediation.
- Monitor for unexpected database activity or service behavior on exposed instances while remediation is underway.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-25-112-01 and Siemens product advisory references supplied in the corpus. The source text explicitly states the vulnerability is an SQL injection in GetActiveConnectionVariables, that exploitation requires authenticated remote access to port 8000, and that impact includes authorization bypass, database read/write, and code execution as NT AUTHORITY\NetworkService. The advisory also provides the mitigation to restrict port 8000 and the vendor fix version V3.1.2.2 or later. No KEV listing is provided in the supplied data.
Official resources
-
CVE-2025-32837 CVE record
CVE.org
-
CVE-2025-32837 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE published on 2025-04-16 and revised on 2025-05-06 for typo fixes, per the supplied timeline and advisory metadata.