CVE-2025-32865 – An SQL injection vulnerability in TeleControl S... (How to Fix)

Q: How do I fix CVE-2025-32865?

1. Download V3.1.2.2 from Siemens official sources. 2. Backup configuration and data. 3. Stop TeleControl Server Basic service. 4. Install update. 5. Restart service and verify functionality.

Q: What is the severity of CVE-2025-32865?

CVE-2025-32865 has a CVSS score of 8.8 (HIGH). An SQL injection vulnerability in TeleControl Server Basic allows authenticated remote attackers to bypass authorization controls, read/write to the database, and execute code with NetworkService permissions. This affects all versions before V3.1.2.2. Attackers need access to port 8000 on systems running vulnerable versions.

📋 TL;DR

An SQL injection vulnerability in TeleControl Server Basic allows authenticated remote attackers to bypass authorization controls, read/write to the database, and execute code with NetworkService permissions. This affects all versions before V3.1.2.2. Attackers need access to port 8000 on systems running vulnerable versions.

💻 Affected Systems

Products:

TeleControl Server Basic

Versions: All versions < V3.1.2.2

Operating Systems: Windows (based on NT AUTHORITY\NetworkService reference)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires TeleControl Server Basic service running on port 8000. Authentication required but authorization bypass possible.

📦 What is this software?

Telecontrol Server Basic by Siemens

View all CVEs affecting Telecontrol Server Basic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with NetworkService privileges leading to lateral movement, data exfiltration, and complete control over affected systems.

🟠

Likely Case

Database manipulation, privilege escalation, and unauthorized access to sensitive industrial control data.

🟢

If Mitigated

Limited impact with proper network segmentation and authentication controls preventing access to vulnerable service.

🌐 Internet-Facing: HIGH - Port 8000 exposed to internet would allow remote exploitation by authenticated attackers.

🏢 Internal Only: HIGH - Internal attackers with network access to port 8000 can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection through CreateLog method requires authentication but allows authorization bypass. Siemens advisory suggests exploit is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V3.1.2.2

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-443402.html

Restart Required: Yes

Instructions:

1. Download V3.1.2.2 from Siemens official sources. 2. Backup configuration and data. 3. Stop TeleControl Server Basic service. 4. Install update. 5. Restart service and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

windows

Restrict access to port 8000/TCP to only trusted management networks

Windows Firewall: New-NetFirewallRule -DisplayName "Block TeleControl Port" -Direction Inbound -LocalPort 8000 -Protocol TCP -Action Block

Authentication Hardening

all

Implement strong authentication mechanisms and monitor for suspicious login attempts

🧯 If You Can't Patch

Implement strict network access controls to limit access to port 8000 to only absolutely necessary systems
Deploy web application firewall (WAF) with SQL injection protection rules in front of the service

🔍 How to Verify

Check if Vulnerable:

Check TeleControl Server Basic version in application interface or installation directory. Versions below V3.1.2.2 are vulnerable.

Check Version:

Check application GUI or installation properties. No standard CLI command provided by vendor.

Verify Fix Applied:

Verify version shows V3.1.2.2 or higher in application interface. Test that CreateLog functionality works without SQL injection.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed authentication attempts followed by successful login
Unexpected database operations from NetworkService account

Network Indicators:

SQL injection patterns in traffic to port 8000
Unusual outbound connections from TeleControl Server system

SIEM Query:

source="TeleControl*" AND ("CreateLog" OR "SQL" OR "injection") AND severity>=high

📊 Metadata

CVE ID: CVE-2025-32865

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.94% exploit probability (75.9th percentile)

Published: April 16, 2025

Last Updated: August 19, 2025

🔗 References

https://cert-portal.siemens.com/productcert/html/ssa-443402.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32865, you might also want to check these: