CVE-2025-32855 Siemens CVE debrief

Who should care

Operators and administrators of Siemens TeleControl Server Basic, OT/ICS security teams, and network defenders responsible for systems exposing port 8000.

Technical summary

The advisory describes a network-reachable SQL injection in the UnlockOpcSettings method of Siemens TeleControl Server Basic. The attack requires authenticated access and connectivity to port 8000, and the reported impact includes authorization bypass, database read/write access, and code execution in the NT AUTHORITY\NetworkService context. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which aligns with the high-severity assessment.

Defensive priority

High. The issue combines authenticated remote reachability, database compromise potential, and code execution in a service account context, so exposed instances should be prioritized for patching and exposure reduction.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Inventory all TeleControl Server Basic deployments and identify any exposed or cross-zone-reachable instances.
• Review OT network segmentation and authentication controls around the service.
• Monitor for unusual database activity or service behavior until remediation is complete.

Evidence notes

This debrief is based on the supplied CISA CSAF advisory ICSA-25-112-01 and its Siemens references. The advisory was published on 2025-04-16 and revised on 2025-05-06; the revision history in the supplied corpus says the update fixed typos only. The source description explicitly names the vulnerable method (UnlockOpcSettings), the access prerequisite (port 8000), and the vendor fix (V3.1.2.2 or later). The enrichment provided with the request marks the issue as not in CISA KEV.

Official resources