PatchSiren cyber security CVE debrief
CVE-2025-32838 Siemens CVE debrief
CVE-2025-32838 is a high-severity SQL injection issue in Siemens TeleControl Server Basic. According to the CISA/Siemens advisory, an authenticated remote attacker who can reach port 8000 on a vulnerable system may bypass authorization controls, read and write the application database, and potentially execute code as NT AUTHORITY\NetworkService. Siemens recommends updating to V3.1.2.2 or later and restricting access to port 8000 to trusted IPs only.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
Operators and administrators of Siemens TeleControl Server Basic, especially in OT/ICS environments where port 8000 is reachable beyond a trusted management network. Security teams responsible for network segmentation, application hardening, and patch management should treat this as a priority.
Technical summary
The advisory describes an SQL injection in the internally used ImportConnectionVariables method. The attack requires authenticated access and network reachability to port 8000 on a system running a vulnerable version. Successful exploitation can bypass authorization controls and impact confidentiality, integrity, and availability of the database, with potential code execution under NT AUTHORITY\NetworkService. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
High. The issue is network-reachable, requires only low privileges, and is described as enabling authorization bypass plus database access and code execution. In an OT context, exposure of the service port materially increases risk.
Recommended defensive actions
- Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
- Restrict access to port 8000 on affected systems to trusted IP addresses only.
- Verify whether any exposed instances of TeleControl Server Basic are reachable outside the intended management network.
- Review authentication and network segmentation controls around OT/ICS services that use the affected application.
- Prioritize remediation on systems handling sensitive telemetry or operational data.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-25-112-01 and Siemens advisory SSA-443402 referenced therein. The source corpus states the vulnerable component is TeleControl Server Basic, identifies the internally used ImportConnectionVariables method, and specifies the attack preconditions of authenticated access plus port 8000 reachability. The advisory revision history for 2025-05-06 indicates typographical fixes only, not a substantive vulnerability update. The CVE is not marked as CISA KEV in the supplied enrichment.
Official resources
-
CVE-2025-32838 CVE record
CVE.org
-
CVE-2025-32838 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by CISA and Siemens on 2025-04-16. The advisory was revised on 2025-05-06 for typo fixes only. Use the CVE publication date, not the revision date, as the disclosure date.