CVE-2025-32861 Siemens CVE debrief

Who should care

OT/ICS defenders, Siemens TeleControl Server Basic administrators, and network teams responsible for systems that expose or route traffic to port 8000. This is especially relevant where the product is reachable from less-trusted networks or where remote authenticated access is permitted.

Technical summary

The advisory describes an SQL injection weakness in TeleControl Server Basic's internal UpdateTraceLevelSettings method. Successful exploitation requires authenticated remote access and connectivity to port 8000. Impact includes authorization bypass, database read/write access, and code execution under the NetworkService account. The advisory lists CVSS 3.1 as 8.8 (HIGH).

Defensive priority

High. Patch promptly if the product is in use and especially if port 8000 is reachable beyond a tightly controlled trust boundary. If immediate patching is not possible, treat access restriction as urgent risk reduction.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Review whether any affected systems expose port 8000 to broader networks and remove unnecessary exposure.
• Limit authenticated access paths to the product and apply network segmentation around the asset.
• Monitor for unusual database activity, unexpected application behavior, or execution under NT AUTHORITY\NetworkService on affected hosts.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-112-01 and the Siemens product security advisory references supplied in the source corpus. The advisory was published on 2025-04-16 and revised on 2025-05-06 for typo fixes only. No KEV listing was provided in the supplied data. All impact and remediation statements are drawn from the supplied advisory text; no additional exploitation details are included.

Official resources