CVE-2025-32858 Siemens CVE debrief

Who should care

Organizations running Siemens TeleControl Server Basic, especially OT/ICS operators exposing port 8000, as well as security teams responsible for perimeter filtering, asset inventory, and patching of Siemens-managed systems.

Technical summary

The supplied advisory identifies an SQL injection flaw in the internally used UpdateWebServerGatewaySettings method. The attack path requires authentication and network access to port 8000 on a vulnerable host. If exploited, the attacker may bypass authorization checks, interact with the database for read/write operations, and achieve code execution under the NetworkService account. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, matching a high-severity remote attack with low complexity and limited privileges.

Defensive priority

High. Treat as urgent for any exposed or reachable TeleControl Server Basic instance, because the flaw combines network reachability, authenticated access, database compromise, and potential code execution.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later per vendor guidance.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Verify whether any instances are reachable from untrusted networks and remove unnecessary exposure.
• Review authentication, application, and database logs for unexpected access or changes tied to the affected service.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-112-01 for CVE-2025-32858, which cites Siemens TeleControl Server Basic and describes the SQL injection condition, required port 8000 access, and potential impacts. The supplied source also lists Siemens remediation to update to V3.1.2.2 or later and a mitigation to restrict port 8000 to trusted IP addresses. The advisory revision history shows an initial publication on 2025-04-16 and a typo-fixing revision on 2025-05-06.

Official resources