CVE-2025-32850 Siemens CVE debrief

Who should care

Organizations running Siemens TeleControl Server Basic, especially OT/ICS administrators, Windows server administrators, and network defenders responsible for systems exposed on port 8000.

Technical summary

The advisory describes SQL injection through the internally used LockTcmSettings method in TeleControl Server Basic. The attack requires authenticated remote access and reachability of port 8000. Successful exploitation can bypass authorization controls and lead to database read/write access plus code execution under the NT AUTHORITY\NetworkService account.

Defensive priority

High. The issue is network-reachable, requires only authenticated access, and has a severe confidentiality/integrity/availability impact profile (CVSS 8.8). Prioritize remediation on any exposed instance, especially where port 8000 is reachable beyond trusted networks.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later using the vendor remediation guidance.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Verify which systems expose TeleControl Server Basic and confirm whether port 8000 is reachable from untrusted networks.
• Apply standard ICS defense-in-depth and segmentation practices to reduce exposure of vulnerable OT services.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-112-01 for CVE-2025-32850, published on 2025-04-16 and revised on 2025-05-06 with typo fixes only. The supplied source identifies Siemens TeleControl Server Basic as the affected product and states that a vulnerable system must be reachable on port 8000. No KEV entry was provided in the supplied enrichment.

Official resources