CVE-2025-32840 Siemens CVE debrief

Who should care

OT/ICS defenders, Siemens TeleControl Server Basic administrators, network security teams that can control access to TCP port 8000, and incident responders supporting Windows-based industrial systems.

Technical summary

The advisory describes SQL injection in the internally used LockGateway method of Siemens TeleControl Server Basic. The attack requires authenticated access and network reachability to port 8000 on the target system. Successful exploitation can lead to authorization bypass, database read/write access, and code execution under NT AUTHORITY\NetworkService. The CVSS vector supplied in the advisory is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, with a score of 8.8 (High).

Defensive priority

High. Prioritize remediation on any exposed TeleControl Server Basic instance, especially systems where TCP port 8000 is reachable from networks beyond a tightly controlled trust boundary.

Recommended defensive actions

• Upgrade Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to TCP port 8000 on affected systems to trusted IP addresses only.
• Verify whether any TeleControl Server Basic deployments are exposed beyond intended administrative or OT management networks.
• Review authentication and access-control logs for unusual activity against the affected service, especially on systems reachable on port 8000.
• Apply CISA and Siemens industrial control system defense-in-depth guidance to reduce service exposure and limit lateral movement risk.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-112-01 and Siemens product security references included in the source corpus. The source text explicitly identifies the affected product, the LockGateway SQL injection condition, the port 8000 access requirement, the possible impacts, and the vendor-fixed version. The advisory was published on 2025-04-16 and revised on 2025-05-06 for typo fixes only.

Official resources