CVE-2025-32845 Siemens CVE debrief

Who should care

Operators and defenders responsible for Siemens TeleControl Server Basic deployments, especially environments where port 8000 is reachable from untrusted networks or broader internal segments. Security teams should prioritize systems that expose the affected service and any instance that relies on this application for OT/industrial communications.

Technical summary

The source advisory states that the internally used UpdateGeneralSettings method is vulnerable to SQL injection. Exploitation requires authenticated access and network reachability to port 8000 on a vulnerable installation. The reported impact includes authorization bypass, database read/write access, and code execution under NT AUTHORITY\NetworkService permissions.

Defensive priority

High

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later, as directed by the vendor advisory.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Review network segmentation and firewall rules so the affected service is not broadly reachable.
• Validate that any deployed instance is covered by Siemens and CISA guidance for this advisory.
• Monitor for unexpected database changes or service behavior on exposed TeleControl Server Basic hosts.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-112-01 and Siemens advisory SSA-443402. The advisory text explicitly describes SQL injection in UpdateGeneralSettings, the authenticated remote attack requirement, the port 8000 access condition, and the potential NT AUTHORITY\NetworkService execution context. The advisory was published on 2025-04-16 and revised on 2025-05-06 for typo fixes.

Official resources