PatchSiren cyber security CVE debrief
CVE-2025-32853 Siemens CVE debrief
CVE-2025-32853 affects Siemens TeleControl Server Basic and was published on 2025-04-16, with a later 2025-05-06 revision noted as typo fixes. The advisory describes an SQL injection vulnerability in the internally used UnlockDatabaseSettings method. An authenticated remote attacker who can reach port 8000 on a vulnerable system may be able to bypass authorization controls, read from and write to the application's database, and execute code as NT AUTHORITY\NetworkService. Siemens lists an update to V3.1.2.2 or later and restricting access to port 8000 to trusted IP addresses as the primary defenses.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
Organizations running Siemens TeleControl Server Basic, especially environments exposing port 8000 to anything beyond tightly controlled management networks. Security teams responsible for OT/ICS systems, Windows service hardening, and application/database access controls should prioritize this advisory.
Technical summary
The source advisory states that the vulnerable application exposes an SQL injection condition through the internally used UnlockDatabaseSettings method. The exploit path requires authenticated access and network reachability to port 8000. If successful, the attacker could bypass authorization checks, interact directly with the application's database for read and write operations, and execute code under the NT AUTHORITY\NetworkService account. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, consistent with a high-severity network-reachable issue that still depends on attacker authentication and service exposure.
Defensive priority
High. The combination of remote reachability, authenticated attack requirements, and potential database compromise plus code execution warrants prompt remediation, especially for any deployment that exposes port 8000 beyond a trusted boundary.
Recommended defensive actions
- Upgrade Siemens TeleControl Server Basic to V3.1.2.2 or later.
- Restrict access to port 8000 on affected systems to trusted IP addresses only.
- Verify whether any instance of TeleControl Server Basic is reachable from untrusted or broader network segments.
- Review authentication and network segmentation controls around the affected service.
- Monitor for unusual database activity or service behavior on systems running vulnerable versions.
Evidence notes
All factual claims here are taken from the supplied CISA CSAF advisory for ICSA-25-112-01 and its listed Siemens references. The advisory text explicitly names TeleControl Server Basic, the UnlockDatabaseSettings SQL injection, the authenticated remote attack requirement, port 8000 exposure, the NT AUTHORITY\NetworkService execution context, and the remediation to update to V3.1.2.2 or later. No KEV listing is present in the supplied enrichment fields.
Official resources
-
CVE-2025-32853 CVE record
CVE.org
-
CVE-2025-32853 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by CISA and Siemens on 2025-04-16; revised on 2025-05-06 for typo fixes.