PatchSiren cyber security CVE debrief
CVE-2025-32872 Siemens CVE debrief
CVE-2025-32872 is a high-severity SQL injection issue in Siemens TeleControl Server Basic. According to the CISA advisory and Siemens references, an authenticated remote attacker who can reach port 8000 may bypass authorization controls, read and write the application's database, and execute code with NT AUTHORITY\NetworkService privileges. Siemens lists a fixed version, and CISA's revision history shows the advisory was later updated only for typo corrections.
- Vendor
- Siemens
- Product
- TeleControl Server Basic
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-16
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-16
- Advisory updated
- 2025-05-06
Who should care
Organizations operating Siemens TeleControl Server Basic, especially OT/ICS environments where port 8000 may be reachable from untrusted networks. Security teams, network administrators, and incident responders should prioritize systems with exposed service access and any deployments that allow authenticated remote access.
Technical summary
The advisory describes SQL injection in the internally used GetOverview method. The attack requires an authenticated remote attacker and network access to port 8000 on a vulnerable system. Successful exploitation can bypass authorization controls, expose and modify database contents, and lead to code execution as NT AUTHORITY\NetworkService. The source advisory classifies the issue with CVSS 3.1 8.8 (HIGH).
Defensive priority
High. This is a network-reachable authenticated SQL injection in an industrial product, with potential for authorization bypass, database compromise, and code execution under a service account. Exposure of port 8000 materially increases risk.
Recommended defensive actions
- Update Siemens TeleControl Server Basic to V3.1.2.2 or later using the vendor-provided fix path.
- Restrict access to port 8000 to trusted IP addresses only and remove any unnecessary exposure to broader networks.
- Review deployments for authenticated remote access paths that could reach the vulnerable service and tighten network segmentation accordingly.
- Use CISA ICS recommended practices and defense-in-depth guidance to reduce reachable attack surface around the affected host.
- Monitor for unusual database activity or unexpected service behavior on systems running the affected product until remediation is complete.
Evidence notes
All substantive claims are drawn from the supplied CISA CSAF advisory ICSA-25-112-01 and the Siemens references listed in that advisory. The advisory was published on 2025-04-16 and revised on 2025-05-06 with the stated summary "Fixing typos"; that revision does not indicate a new issue date or a change in the vulnerability substance.
Official resources
-
CVE-2025-32872 CVE record
CVE.org
-
CVE-2025-32872 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-04-16 in CISA advisory ICSA-25-112-01. The advisory source was revised on 2025-05-06 for typo fixes only.