CVE-2025-32867 Siemens CVE debrief

Who should care

Organizations running Siemens TeleControl Server Basic, especially OT/ICS environments exposing port 8000, should prioritize this issue. Security teams responsible for network segmentation, firewall rules, and patching for Siemens-managed assets should also review their exposure.

Technical summary

The issue is described as SQL injection in the internally used CreateBackup method. The advisory states that exploitation requires authenticated remote access and the ability to reach port 8000 on a vulnerable system. Successful exploitation can bypass authorization and impact confidentiality, integrity, and availability of the application's database, with code execution occurring under the NetworkService account context.

Defensive priority

High. The combination of authenticated remote exploitation, database compromise, and code execution in a service account context makes this a priority for any exposed deployment, especially in industrial environments.

Recommended defensive actions

• Update Siemens TeleControl Server Basic to V3.1.2.2 or later.
• Restrict access to port 8000 on affected systems to trusted IP addresses only.
• Inventory any TeleControl Server Basic deployments and verify whether they are reachable on port 8000.
• Apply Siemens and CISA-referenced industrial control system security best practices for segmentation and exposure reduction.

Evidence notes

This debrief is based on CISA CSAF ICSA-25-112-01 and the Siemens product advisory references included in the source corpus. The advisory was published on 2025-04-16 and revised on 2025-05-06 for typo fixes. The supplied data does not indicate a Known Exploited Vulnerabilities (KEV) listing.

Official resources