CVE-2025-32843 Siemens CVE debrief

Who should care

Siemens TeleControl Server Basic administrators, OT/ICS security teams, and network defenders responsible for systems that expose or route access to port 8000.

Technical summary

The supplied CISA CSAF and Siemens advisory describe an SQL injection weakness in the LockUser method of TeleControl Server Basic. Exploitation requires an authenticated remote attacker with access to port 8000 on a vulnerable host. Successful exploitation can bypass authorization controls, enable database read/write access, and lead to code execution under NT AUTHORITY\NetworkService. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, rated 8.8 (High).

Defensive priority

High priority for any exposed TeleControl Server Basic deployment, especially where port 8000 is reachable outside a trusted management network.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Use network segmentation and allowlisting to keep the service off untrusted networks, following CISA ICS recommended practices.
• Validate which hosts are running TeleControl Server Basic and confirm they are on a patched version.
• Monitor for unusual authentication failures, database modification activity, and unexpected process execution on affected systems.

Evidence notes

The source corpus includes CISA's ICS advisory ICSA-25-112-01 and Siemens advisory SSA-443402, both describing the same flaw in TeleControl Server Basic. The advisory text states the vulnerability is an SQL injection through the LockUser method, requires authenticated remote access to port 8000, and can lead to authorization bypass, database read/write, and code execution as NT AUTHORITY\NetworkService. The advisory was published on 2025-04-16 and revised on 2025-05-06 for typo corrections.

Official resources