PatchSiren cyber security CVE debrief
CVE-2025-32866 Siemens CVE debrief
CVE-2025-32866 is a high-severity SQL injection vulnerability in Siemens TeleControl Server Basic. The issue is exposed through the internally used GetLogs method and can allow an authenticated remote attacker with access to port 8000 to bypass authorization controls, read and write the application database, and execute code as NT AUTHORITY\NetworkService. Siemens and CISA list update-to-fixed-version guidance and access restriction as the primary mitigations.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
Operators, administrators, and defenders responsible for Siemens TeleControl Server Basic deployments, especially environments where port 8000 is reachable from untrusted networks or broader internal networks.
Technical summary
The supplied CSAF advisory states that the affected application is vulnerable to SQL injection through the internally used GetLogs method. The impact described includes authorization bypass, database read/write access, and code execution under NT AUTHORITY\NetworkService permissions. The attack requires authenticated remote access and network reachability to port 8000 on a system running a vulnerable version. Siemens’ remediation guidance is to update to V3.1.2.2 or later and to restrict access to port 8000 to trusted IP addresses only.
Defensive priority
High. Treat this as a priority exposure because the vulnerability combines authenticated remote access, database compromise potential, and service-level code execution. Focus first on network exposure reduction and then on patching to the fixed release.
Recommended defensive actions
- Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
- Restrict access to port 8000 on affected systems to trusted IP addresses only.
- Verify whether any untrusted or broad internal network paths can reach the affected service.
- Review access controls and authentication around exposed management or service interfaces.
- Monitor the Siemens advisory and CISA notice for any further remediation updates.
Evidence notes
All key claims are supported by the supplied CISA CSAF source for ICSA-25-112-01 and its Siemens references. The advisory was published on 2025-04-16 and revised on 2025-05-06 with a revision note indicating typo fixes only. The source explicitly identifies Siemens TeleControl Server Basic as the affected product, describes the SQL injection in GetLogs, specifies the need for authenticated remote access and port 8000 reachability, and lists the vendor fix version V3.1.2.2 or later plus port restriction as remediation.
Official resources
-
CVE-2025-32866 CVE record
CVE.org
-
CVE-2025-32866 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory ICSA-25-112-01 on 2025-04-16; the advisory was revised on 2025-05-06 for typo fixes.