CVE-2025-32849 Siemens CVE debrief

Who should care

Siemens TeleControl Server Basic operators, OT/ICS administrators, and defenders responsible for systems where the service is reachable on port 8000, especially in environments that expose the application beyond trusted networks.

Technical summary

According to the CISA CSAF advisory and Siemens product advisory, the flaw is an SQL injection issue in the internally used UnlockSmtpSettings method. The reported attack path requires authenticated remote access and network reachability to port 8000. Successful exploitation could allow authorization bypass, database read/write access, and code execution under NT AUTHORITY\NetworkService. The advisory lists a fixed version of V3.1.2.2 or later and also recommends restricting port 8000 to trusted IP addresses only.

Defensive priority

High. This is network-reachable, requires only low privileges beyond authentication, and is described as enabling authorization bypass plus database compromise and possible code execution.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Verify whether any vulnerable instances are reachable from untrusted networks and remove unnecessary exposure.
• Apply OT network segmentation and least-privilege access controls around the affected service.
• Monitor and investigate access attempts against the TeleControl Server Basic service on port 8000.

Evidence notes

Source data comes from CISA advisory ICSA-25-112-01 and the linked Siemens product security advisory. The provided advisory text states the vulnerability is an SQL injection in UnlockSmtpSettings, describes the potential impact, and names the remediation to update to V3.1.2.2 or later. Publication date is 2025-04-16 and the only recorded revision is 2025-05-06 for typo fixes. No KEV listing was provided.

Official resources