CVE-2025-32847 Siemens CVE debrief

Who should care

Organizations running Siemens TeleControl Server Basic, especially OT/ICS teams, Windows administrators, and security teams responsible for network exposure control on systems that listen on port 8000.

Technical summary

The supplied advisory describes a network-reachable SQL injection reachable through an internal UnlockGeneralSettings method. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8 HIGH), indicating remote exploitation with low complexity after authentication and network access. The vendor remediation is to update to V3.1.2.2 or later; the interim mitigation is to restrict access to port 8000 to trusted IP addresses only.

Defensive priority

High — prioritize quickly if TeleControl Server Basic is deployed and port 8000 is reachable from untrusted networks or broad internal segments.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Verify which hosts expose TeleControl Server Basic on port 8000 and remove unnecessary exposure.
• Review authentication and network segmentation around the application before applying the vendor fix.
• Monitor affected systems for unexpected database changes or service behavior until remediation is complete.

Evidence notes

Primary evidence comes from the CISA CSAF advisory (ICSA-25-112-01) and the Siemens CERT advisory referenced in the source corpus. The source text states that the flaw is SQL injection in UnlockGeneralSettings, requires authenticated remote access with reachability to port 8000, and can lead to authorization bypass, database read/write, and code execution as NT AUTHORITY\\NetworkService. The advisory was published on 2025-04-16 and revised on 2025-05-06 for typos only; no KEV listing is present in the supplied data.

Official resources