PatchSiren cyber security CVE debrief
CVE-2025-32851 Siemens CVE debrief
CVE-2025-32851 is a high-severity SQL injection vulnerability affecting Siemens TeleControl Server Basic. According to the public advisory published on 2025-04-16 and revised on 2025-05-06, an authenticated remote attacker who can access port 8000 on a vulnerable system may bypass authorization controls, read and write the application's database, and potentially execute code with NT AUTHORITY\NetworkService permissions.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
Security teams, OT/ICS operators, and Windows administrators responsible for Siemens TeleControl Server Basic deployments—especially where port 8000 is reachable from networks beyond tightly trusted hosts.
Technical summary
The advisory identifies SQL injection in the internally used UnlockTcmSettings method. The attack requires authentication and network access to port 8000 on a system running a vulnerable version of TeleControl Server Basic. If exploited, the attacker may bypass authorization checks, manipulate application database contents, and achieve code execution under NT AUTHORITY\NetworkService. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting a network-reachable issue with high confidentiality, integrity, and availability impact.
Defensive priority
High. Prioritize if TeleControl Server Basic is deployed, particularly where port 8000 is exposed outside a trusted management network or where the application handles sensitive operational data.
Recommended defensive actions
- Update Siemens TeleControl Server Basic to V3.1.2.2 or later, as listed in the vendor remediation.
- Restrict access to port 8000 on affected systems to trusted IP addresses only.
- Verify which hosts expose port 8000 and remove unnecessary network reachability.
- Confirm the deployed TeleControl Server Basic version across the environment and schedule remediation for any vulnerable instances.
- Review access control and service-account exposure around the application, since successful exploitation may lead to execution as NT AUTHORITY\NetworkService.
Evidence notes
All key claims in this debrief are drawn from the supplied CISA CSAF advisory for ICSA-25-112-01 and its listed Siemens references. The advisory states that the affected application is vulnerable to SQL injection through the internally used UnlockTcmSettings method, that exploitation requires an authenticated remote attacker with access to port 8000, and that impact includes authorization bypass, database read/write access, and code execution with NT AUTHORITY\NetworkService permissions. The advisory was published on 2025-04-16 and revised on 2025-05-06 for typos only. No KEV listing was provided in the supplied corpus.
Official resources
-
CVE-2025-32851 CVE record
CVE.org
-
CVE-2025-32851 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA/Siemens advisory set on 2025-04-16; the advisory was revised on 2025-05-06 with typos fixed only.