CVE-2025-32867 Overview
CVE-2025-32867 is a SQL injection vulnerability in Siemens TeleControl Server Basic affecting all versions prior to V3.1.2.2. The flaw resides in the internally used CreateBackup method, which fails to properly sanitize user-supplied input before incorporating it into SQL queries. An authenticated remote attacker with access to TCP port 8000 can bypass authorization controls, read and write to the application database, and execute code under the NT AUTHORITY\NetworkService account. The vulnerability is tracked under CWE-89 and detailed in the Siemens Security Advisory SSA-443402.
Critical Impact
Authenticated attackers can bypass authorization, manipulate the backend database, and execute arbitrary code as NT AUTHORITY\NetworkService on affected industrial control system servers.
Affected Products
- Siemens TeleControl Server Basic, all versions before V3.1.2.2
- Deployments exposing TCP port 8000 to reachable networks
- Industrial environments using TeleControl Server Basic for SCADA backend operations
Discovery Timeline
- 2025-04-16 - CVE-2025-32867 published to NVD
- 2025-08-19 - Last updated in NVD database
Technical Details for CVE-2025-32867
Vulnerability Analysis
The vulnerability stems from improper neutralization of input in the CreateBackup method used internally by TeleControl Server Basic. Attacker-controlled data is concatenated into SQL statements rather than passed through parameterized queries. Because the method is reachable over the network on port 8000, low-privileged authenticated users can invoke it to manipulate database content beyond their intended permissions.
The injection enables both read and write operations against the underlying database, which Siemens documents as allowing authorization bypass. Because TeleControl Server Basic runs under the NT AUTHORITY\NetworkService Windows service account, successful database-tier exploitation can be pivoted into command execution at that service privilege level. This represents a path from SQL injection to operating system code execution on a host that frequently sits inside the OT and industrial control system network.
Root Cause
The root cause is missing input sanitization in the CreateBackup routine, classified as [CWE-89] SQL Injection. The method trusts client-supplied parameters and embeds them directly into SQL queries executed against the application database, violating standard parameterization practice.
Attack Vector
Exploitation requires network reachability to port 8000 on a host running a vulnerable version and a valid set of low-privilege application credentials. The attacker sends a crafted request that drives the CreateBackup flow with malicious SQL syntax. The injected SQL is executed by the backend, allowing authorization bypass, arbitrary read and write operations, and ultimately code execution as the service account.
No verified exploit code or public proof of concept is currently published. Refer to the Siemens Security Advisory SSA-443402 for vendor technical details.
Detection Methods for CVE-2025-32867
Indicators of Compromise
- Unexpected inbound connections to TCP port 8000 from hosts outside the expected management network.
- Database log entries showing anomalous queries originating from the TeleControl Server Basic application context.
- New, modified, or unexplained processes spawned by the TeleControl service running as NT AUTHORITY\NetworkService.
- Backup-related operations triggered outside scheduled maintenance windows.
Detection Strategies
- Inspect application and database logs for SQL syntax artifacts such as UNION SELECT, stacked queries, or comment delimiters in parameters passed to the CreateBackup method.
- Monitor child processes of the TeleControl Server Basic service for execution of cmd.exe, powershell.exe, or other interpreters under the NetworkService account.
- Alert on outbound network connections initiated by the TeleControl service process to non-approved destinations.
Monitoring Recommendations
- Enable verbose authentication and authorization logging on TeleControl Server Basic and forward events to a centralized SIEM.
- Baseline normal database query patterns and alert on deviations involving the backup workflow.
- Track failed and successful authentication attempts to port 8000 to surface credential abuse preceding injection attempts.
How to Mitigate CVE-2025-32867
Immediate Actions Required
- Upgrade TeleControl Server Basic to V3.1.2.2 or later as published in Siemens Security Advisory SSA-443402.
- Restrict network access to TCP port 8000 to a small set of trusted engineering workstations using host and network firewalls.
- Rotate credentials for all application accounts that could have been used to reach the vulnerable endpoint.
- Review database and service account activity for signs of prior exploitation.
Patch Information
Siemens has released V3.1.2.2 of TeleControl Server Basic, which remediates the SQL injection in the CreateBackup method. Patch details and download instructions are available in the Siemens ProductCERT advisory SSA-443402.
Workarounds
- Place TeleControl Server Basic hosts inside a segmented OT network protected by a firewall that blocks unsolicited access to port 8000.
- Enforce least-privilege on application accounts and remove unused credentials that could be leveraged for authenticated exploitation.
- Apply Siemens' general operational guidelines for industrial security, including defense-in-depth and cell protection concepts.
# Example Windows firewall rule restricting port 8000 to a management subnet
netsh advfirewall firewall add rule name="TeleControl-8000-Restrict" ^
dir=in action=allow protocol=TCP localport=8000 ^
remoteip=10.10.20.0/24
netsh advfirewall firewall add rule name="TeleControl-8000-Deny" ^
dir=in action=block protocol=TCP localport=8000
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
