CVE-2025-32841 Siemens CVE debrief

Who should care

Organizations running Siemens TeleControl Server Basic, especially OT/ICS teams, Windows administrators, network security teams, and anyone exposing port 8000 on systems running the product.

Technical summary

The advisory states that the affected application is vulnerable to SQL injection through the internally used UnlockGateway method. The attack requires an authenticated remote attacker and access to port 8000 on a system running a vulnerable version. Successful exploitation can bypass authorization controls, manipulate the application's database, and execute code with NT AUTHORITY\NetworkService permissions.

Defensive priority

High — prioritize remediation on any exposed TeleControl Server Basic deployment, especially where port 8000 is reachable from non-trusted networks.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Verify whether any management or service ports for TeleControl Server Basic are exposed beyond the intended OT administration network.
• Review logs for unexpected authenticated access or unusual database activity associated with the application.
• Follow Siemens and CISA industrial control system hardening guidance for network segmentation and defense in depth.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-112-01 for CVE-2025-32841 and its linked Siemens product security advisory. The supplied corpus explicitly identifies Siemens TeleControl Server Basic, the UnlockGateway SQL injection condition, the requirement for authenticated remote access to port 8000, the impact on authorization and database access, and code execution as NT AUTHORITY\NetworkService. The advisory revision history indicates the 2025-05-06 update was a typo fix only.

Official resources