CVE-2025-32864 Siemens CVE debrief

Who should care

Organizations running Siemens TeleControl Server Basic, especially OT/IT teams that expose or route traffic to port 8000 and administrators responsible for access control, patching, and network segmentation.

Technical summary

The advisory describes an SQL injection condition in the internal GetSettings method of TeleControl Server Basic. The attack vector is network-based with low attack complexity and requires low privileges but no user interaction. Impact is high across confidentiality, integrity, and availability. The vendor remediation is to update to V3.1.2.2 or later; the interim mitigation is to restrict access to port 8000 to trusted IP addresses.

Defensive priority

High. The issue is network-reachable, requires authentication, and carries high-impact consequences if exposed, but it has a vendor fix and a straightforward network-layer mitigation.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Verify which hosts can reach the service and remove unnecessary exposure.
• Review authentication and authorization controls around the affected deployment.
• Apply standard OT network segmentation and defense-in-depth practices for externally reachable management services.

Evidence notes

All core claims in this debrief are taken from the CISA CSAF advisory ICSA-25-112-01 and its Siemens reference materials. The source states that the issue is SQL injection in the internally used GetSettings method, that exploitation requires authenticated remote access to port 8000, and that impact includes authorization bypass, database read/write, and code execution as NT AUTHORITY\NetworkService. The revision history shows the 2025-05-06 change was a typo fix rather than a substantive update.

Official resources