Siemens has published an emergency patch for a critical flaw in TeleControl Server Basic after security researchers disclosed an information‑disclosure bug that lets unauthenticated remote attackers obtain password hashes from the product’s database service — a vulnerability tracked as CVE‑2025‑40765 and rated critical by multiple scoring authorities. The flaw affects TeleControl Server Basic V3.1 builds from V3.1.2.2 up to (but not including) V3.1.2.3; Siemens has released V3.1.2.3 to address the issue and recommends immediate updates alongside network mitigations such as restricting access to the product’s default database port (TCP/8000).
TeleControl Server Basic (TCSB) is a Siemens product used for remote monitoring and control in industrial environments, commonly deployed in utilities, water treatment, and other critical‑manufacturing contexts. The product exposes a database service (commonly listening on TCP port 8000) that implements remote operations including authentication and user management; the newly disclosed vulnerability targets that service and its operations. Siemens and multiple vulnerability trackers (NVD, Tenable) have classified this family of TeleControl flaws as high‑to‑critical in severity and have been publishing a string of advisories through 2024–2025 addressing several distinct issues in the product.
Siemens ProductCERT and independent security vendors reported and coordinated fixes across several advisories throughout 2024 and 2025, with remediation guidance evolving from broad upgrades (move to V3.1.2 or later) to targeted patches for individual CVEs. The CVE most directly associated with the password‑hash disclosure is CVE‑2025‑40765; it was publicly documented alongside Siemens’ advisory and research advisories from vendors that helped discover and disclose the issue.
Government and industry guidance repeatedly emphasize layered defenses — network controls, hardened remote access, asset visibility, and rapid patching — all of which mitigate these kinds of product design exposures even when vendor fixes are delayed or incomplete.
The strongest immediate action is to apply Siemens’ patch (V3.1.2.3 or later) without delay and to restrict access to TCP/8000 until the update is applied. Additionally, operators should rotate credentials, harden network segmentation, and deploy monitoring to detect suspicious database service activity. Given the critical infrastructure role many TeleControl instances play, defenders must assume compromised hashes are fully exposed and act accordingly while vendors continue improving product designs and post‑incident transparency.
Source: CISA Siemens TeleControl Server Basic | CISA
TeleControl Server Basic (TCSB) is a Siemens product used for remote monitoring and control in industrial environments, commonly deployed in utilities, water treatment, and other critical‑manufacturing contexts. The product exposes a database service (commonly listening on TCP port 8000) that implements remote operations including authentication and user management; the newly disclosed vulnerability targets that service and its operations. Siemens and multiple vulnerability trackers (NVD, Tenable) have classified this family of TeleControl flaws as high‑to‑critical in severity and have been publishing a string of advisories through 2024–2025 addressing several distinct issues in the product. Siemens ProductCERT and independent security vendors reported and coordinated fixes across several advisories throughout 2024 and 2025, with remediation guidance evolving from broad upgrades (move to V3.1.2 or later) to targeted patches for individual CVEs. The CVE most directly associated with the password‑hash disclosure is CVE‑2025‑40765; it was publicly documented alongside Siemens’ advisory and research advisories from vendors that helped discover and disclose the issue.
Executive summary of the vulnerability
- Vulnerability: Information disclosure — password hash disclosure from TeleControl Server Basic database service.
- CVE: CVE‑2025‑40765.
- Affected versions: TeleControl Server Basic V3.1.2.2 ≤ version < V3.1.2.3 (i.e., V3.1.2.2 is vulnerable; V3.1.2.3 or later is the fix).
- Exploitability: Remotely exploitable; no privileges required; low attack complexity.
- Default service: Database service on TCP port 8000 — exploitation requires network access to that port.
- Severity: Critical. Reported CVSS values include CVSS v3.1 = 9.8 and CVSS v4 = 9.3 (vendor / researchers numeric scores).
- Immediate remedy: Upgrade to TeleControl Server Basic V3.1.2.3 or later; restrict access to port 8000 until patched.
Technical analysis
What the flaw does — the core issue
The vulnerability is an information disclosure in the TeleControl Server Basic database service. Attackers can call remote operations exposed by the service to retrieve stored password hashes for local TeleControl users. The database service’s Authenticate operation uses a password hash — not a plain password — for authentication, which means an attacker who can obtain a user's stored hash may be able to authenticate directly by presenting that hash to Authenticate or by otherwise impersonating the account. Once authenticated, the attacker can invoke administrative methods (for example, UpdateUsers) to add privileged accounts or change configurations. This behavior creates a “pass‑the‑hash” style risk within the product’s own authentication model.Attack vector and prerequisites
- Attack vector: Network (remote) — exploitation requires connectivity to the TeleControl database service (default TCP port 8000). Firewalls or network segmentation that expose that port to untrusted networks significantly increase risk.
- Authentication: None required for the information disclosure described by CVE‑2025‑40765; an unauthenticated attacker can invoke the service methods that leak password hashes.
- Complexity: Low — no complex sequencing or local access is needed once network reachability is established.
Consequences of exploitation
Successful exploitation allows an attacker to:- Obtain password hashes of TeleControl users (sensitive secret material).
- Authenticate to the database service by reusing hashes (bypassing password knowledge).
- Perform authenticated database operations, including adding administrative accounts or modifying user records (e.g., UpdateUsers).
- Potentially pivot from the TeleControl host into industrial workflows or other networked control systems depending on local privileges and network configuration.
What isn’t known (and should be treated cautiously)
- The precise hashing algorithm and whether hashes are salted or otherwise hardened is not disclosed in public advisories. That detail matters for offline cracking feasibility, and it was not published in the Siemens advisory or Tenable research notes available at the time of disclosure. Treat any claim about immediate offline cracking of hashes as unverifiable until vendors publish algorithmic details or customers can examine their local deployments. This uncertainty increases the operator responsibility to treat exposed hashes as fully compromised and to perform password resets and credential rotation.
Attack scenarios and real‑world risk
Short timeline attack scenario
- An attacker scans infrastructure and identifies an exposed TeleControl Server Basic instance responding on port 8000.
- The attacker issues the service call(s) that trigger the information‑disclosure path and retrieves stored password hashes.
- The attacker calls the Authenticate operation using the retrieved hash (or uses offline cracking if feasible) and obtains authenticated access.
- With authenticated access the attacker invokes privileged operations such as UpdateUsers to create an administrative account or modify configuration, enabling persistence and lateral movement.
Impact to industrial environments
- TeleControl deployments are common in critical manufacturing and utility environments; a compromise could result in unauthorized manipulation of telemetry, remote control of field devices, or disruption of monitoring workflows.
- Even if the attacker’s goals are limited to reconnaissance, stolen credentials can be reused across similar systems or harvested for supply‑chain and espionage objectives.
- Unpatched instances exposed to business networks or the internet significantly raise the risk profile. Many ICS/OT environments lack rapid patch cycles, which increases the window of exposure once a public advisory appears.
Vendor response and disclosure timeline
- Researcher/vendor engagement: Tenable reported the issue to Siemens on July 23, 2025, and maintained coordinated communication through the autumn. Siemens published its advisory and the updated software on October 14, 2025, per Tenable’s disclosure timeline. The public CVE record and NVD listing followed the vendor advisory.
- Patch: Siemens released TeleControl Server Basic V3.1.2.3 to address the password‑hash disclosure and advised customers to upgrade. Siemens’ ProductCERT published multiple related advisories for TCSB over 2024–2025 documenting SQL injection, deserialization, and other vulnerabilities addressed in successive updates.
- Coordination: Multiple coordinated disclosure actions across vendors (Trend Micro ZDI, Tenable, Siemens ProductCERT) produced a series of CVEs and advisories; customers should review all TeleControl advisories for cumulative risk and remediations.
Mitigation and hardening guidance
Immediate actions for organizations running TeleControl Server Basic:- Patch immediately
- Upgrade affected TeleControl Server Basic instances to V3.1.2.3 or later as soon as the maintenance window allows. This is the primary and recommended remediation.
- Restrict network access to the database service
- Block or tightly restrict inbound access to TCP/8000 at network perimeter and internal firewalls.
- Allow only trusted management subnets and jump hosts access to TeleControl services. Siemens explicitly recommends restricting port 8000 to trusted IP addresses as a temporary mitigation.
- Isolate control networks
- Place TeleControl hosts on segmented, firewalled segments separate from corporate and internet‑facing networks.
- Ensure strict egress filtering to limit outbound command and control possibilities.
- Rotate credentials and assume compromise
- Treat all TeleControl user accounts whose hashes may have been exposed as compromised.
- Reset passwords and rotate service account credentials; where possible, invalidate stored hashes or force re‑enrollment.
- Maintain an audit trail of account changes and require multi‑factor authentication for operator accounts where supported.
- Monitoring and detection
- Monitor access logs for the database service (calls to Authenticate, UpdateUsers, or other IDatabaseService operations).
- Watch for unusual user additions, privilege escalations, or connections from unexpected IPs.
- Deploy IDS/IPS rules to detect calls to the TeleControl database API or anomalous traffic to TCP/8000.
- Compensating controls for remote access
- If remote management is required, use secure remote access solutions that are hardened and monitored (e.g., jump hosts, strongly configured VPNs with MFA).
- Avoid exposing the TeleControl database service directly to the internet under any circumstances. CISA guidance emphasizes minimizing network exposure for ICS assets.
- Incident response preparedness
- If an exposure is suspected, follow established IR procedures: capture forensic images, collect logs, rotate credentials, and perform configuration audits.
- Notify relevant stakeholders and authorities per regulatory and contractual requirements.
Detection and hunting playbook
- Network hunts
- Scan internal networks for hosts responding on TCP/8000. Prioritize scanning for legacy versions (V3.1.2.2).
- Correlate with asset inventory to identify which systems are running TeleControl Server Basic and whether they have been patched.
- Log hunts
- Search for database service operations: Authenticate, UpdateUsers, UpdateBufferingSettings, CreateTrace, VerifyUser, and other method names mentioned across related advisories.
- Flag repeated or anomalous Authenticate calls from external hosts or service accounts.
- Endpoint/host hunts
- Look for creation of new TeleControl administrative accounts, unexpected changes to local service permissions, or unusual child processes.
- Threat intelligence
- Subscribe to vendor ProductCERT advisories and ICS-specific feeds for updated IOCs and detection signatures.
Critical analysis — strengths and weaknesses in the response and product design
Notable strengths
- Siemens has been publishing a series of ProductCERT advisories that address multiple classes of vulnerabilities across TeleControl releases, and the vendor produced incremental patches to remediate different root causes (SQL injection, deserialization, information disclosure). This demonstrates active vendor engagement and patch delivery for legacy product design issues.
- Multiple security vendors coordinated disclosure and published research that helped accelerate vendor response and provide customers with technical context and detection guidance.
Concerning weaknesses and risks
- Architectural risk: the database authentication model appears to accept stored password hashes as valid authentication material. That design decision creates a highly exploitable pass‑the‑hash analogue internal to the product: once a hash is disclosed, no cracking may be necessary to gain authenticated access. The public advisories indicate this behavior, which substantially increases impact.
- Exposure windows: several vulnerabilities across 2024–2025 required cumulative patching. Customers who deferred upgrades have faced a compounding risk surface — upgrading to the latest release only addresses the patched issues, but delayed patch adoption amplifies exposure.
- Limited public detail about stored hash hardening: public advisories do not disclose the hashing scheme or whether salts and modern hashing practices are used. This omission prevents operators from accurately assessing offline cracking risk and complicates post‑incident remediation planning. Treat exposed hashes as fully compromised until proven otherwise.
- Network‑centric attackability: default exposure of critical services on a well‑known port (8000) makes the product easy to discover in wide scans; organizations that have not restricted access to management ports are particularly vulnerable.
Practical checklist for IT and OT teams (quick actions)
- Inventory: Identify every TeleControl Server Basic instance and its version.
- Patch: Plan and apply V3.1.2.3 or later as a top priority.
- Block: Immediately restrict TCP/8000 to trusted IPs via firewall rules; remove public internet exposure.
- Rotate: Reset all TeleControl user credentials and service account passwords after patching.
- Monitor: Enable logging for database service operations and watch for Authenticate/UpdateUsers activity.
- Segment: Verify that TeleControl hosts live on isolated OT segments with controlled access.
- Report: If intrusion is suspected, preserve logs and engage incident response teams and vendor support.
Broader implications for ICS security
This vulnerability is one of several in TeleControl Server Basic disclosed during 2024–2025 and highlights recurring themes in ICS security: legacy code patterns, insecure-by‑design authentication models, and the risks created when management services are reachable from untrusted networks. The incident reinforces enduring ICS best practices: minimize network exposure, proactively segment OT networks, maintain an aggressive patch posture for vendor advisories, and adopt strong authentication designs that don’t rely on reusable secret material accepted directly by services.Government and industry guidance repeatedly emphasize layered defenses — network controls, hardened remote access, asset visibility, and rapid patching — all of which mitigate these kinds of product design exposures even when vendor fixes are delayed or incomplete.
What operators should demand from vendors going forward
- Clear cryptographic hygiene disclosures: operators should know how credentials are stored (hash algorithm, salting, iteration counts) so they can assess offline cracking risk and plan rotations accordingly.
- Secure authentication redesign: vendor products should avoid designs where stored secret material can be used directly for authentication operations without additional factors or protections.
- Faster patch cycles and clear timelines: coordinated disclosure timelines are improving, but operators need concrete SLA‑level guidance for critical fixes in ICS products.
- Better telemetry and logging: richer, actionable logs for management and authentication operations would speed detection of misuse and forensic investigation.
Conclusion
CVE‑2025‑40765 in Siemens TeleControl Server Basic is a critical, remotely exploitable information‑disclosure vulnerability that can lead to immediate, authenticated access to the product’s database service by reusing stolen password hashes. The combination of low attack complexity, unauthenticated access, and a service that accepts hashes for authentication elevates this issue to a top‑priority remediation for organizations using TeleControl Server Basic in industrial environments.The strongest immediate action is to apply Siemens’ patch (V3.1.2.3 or later) without delay and to restrict access to TCP/8000 until the update is applied. Additionally, operators should rotate credentials, harden network segmentation, and deploy monitoring to detect suspicious database service activity. Given the critical infrastructure role many TeleControl instances play, defenders must assume compromised hashes are fully exposed and act accordingly while vendors continue improving product designs and post‑incident transparency.
Source: CISA Siemens TeleControl Server Basic | CISA