PatchSiren cyber security CVE debrief
CVE-2025-32856 Siemens CVE debrief
CVE-2025-32856 is a high-severity SQL injection vulnerability in Siemens TeleControl Server Basic. According to the published advisory, an authenticated remote attacker who can reach port 8000 on a vulnerable system may bypass authorization controls, interact with the application's database, and potentially execute code as NT AUTHORITY\NetworkService. Siemens and CISA published the advisory on 2025-04-16, with a later 2025-05-06 revision for typo fixes only.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
Organizations running Siemens TeleControl Server Basic, especially environments that expose port 8000 beyond tightly controlled networks. Security teams, OT/ICS operators, and administrators responsible for Siemens product patching and network segmentation should prioritize review.
Technical summary
The issue is described as SQL injection in the internally used LockBufferingSettings method. The advisory states that exploitation requires authenticated access and network reachability to port 8000 on a system running an affected version. Successful exploitation could allow authorization bypass, database read/write access, and code execution with NT AUTHORITY\NetworkService privileges. The published remediation is to update to V3.1.2.2 or later, or restrict access to port 8000 to trusted IP addresses only.
Defensive priority
High. The CVSS score is 8.8 with network attack vector, low attack complexity, and high impact to confidentiality, integrity, and availability. Because the affected product is an industrial/OT-related Siemens component and the advisory includes code execution potential, remediation and exposure reduction should be prioritized promptly.
Recommended defensive actions
- Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
- Restrict access to port 8000 on affected systems to trusted IP addresses only.
- Confirm whether any systems running TeleControl Server Basic are reachable from untrusted networks.
- Review authentication and authorization controls around any management or service interfaces exposed on port 8000.
- Monitor affected hosts for unexpected database activity or service behavior until patching is complete.
Evidence notes
All core facts in this debrief come from the CISA CSAF advisory ICSA-25-112-01 and the Siemens product advisory references listed in the source corpus. The advisory was published on 2025-04-16 and revised on 2025-05-06 with typo-only changes. The affected product is Siemens TeleControl Server Basic, and the mitigation and vendor fix guidance are explicitly stated in the advisory.
Official resources
-
CVE-2025-32856 CVE record
CVE.org
-
CVE-2025-32856 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA/Siemens advisory published on 2025-04-16; the source corpus shows a 2025-05-06 revision limited to typo fixes.