Critical Infrastructure Security, OT Security, ICS/SCADA

Critical bugs in Siemens, Schneider Electric gear top CISA advisory

A sign on top of a building reads "Siemens" in blue letters.

(Adobe Stock)

Critical vulnerabilities for Siemens TeleControl Server Basic SQL products and Schneider Electric’s Wiser Home Controller WHC-5918A gear topped an April 22 advisory from the Cybersecurity and Infrastructure Security Agency (CISA).

CISA publishes an ICS Advisory when a vendor or researcher discloses a flaw that affects industrial hardware and offers a patch or workaround. The community aims for rapid risk awareness for operators whether or not attacks are happening. This is as opposed to a CVE, which moves to the known exploited vulnerabilities (KEV) catalog only after CISA confirms real exploitation.

In this case, three of the 16 CVEs identified in the ICS Advisory were from the Siemens TeleControl products, garnering a CVSS v4 score of 9.3. The vulnerabilities are CVE-2025-27495, CVE-2025-27539, and CVE-2025-27540.

CISA added that exploitation of the Siemens vulnerabilities could let attackers read and write to the application's database, cause a denial-of-service (DoS) condition, and execute code in an OS shell. Exploitation of the Schneider Electric vulnerability — CVE-2024-6407 — could let an attacker disclose sensitive credentials.

None of the critical CVEs have been reported to be exploited in the wild as of this report.

“Security staff should treat TeleControl Server Basic SQL versions older than 3.1.2.2 as exposure points because an unauthenticated user on port 8000 can inject SQL, change process data, open an OS shell under Network Service, or crash the service,” said Jason Soroko, a senior fellow at Sectigo.

Soroko said security teams should block the port at every ingress edge, isolate the server on its own VLAN, collect logs on every SQL statement, and move to the fixed Siemens build.  Where downtime will not be approved, Soroko said teams should place an inline WAF or reverse proxy that drops SQL metacharacters.  

Tim Mackey, head of software supply chain risk strategy at Black Duck, explained that CISA issues the ICS Advisories because many organizations have differing cybersecurity requirements for IT staff versus OT systems.

“Since OT systems typically include systems controlling a manufacturing or production line, or an industrial environment, patch processes are often more involved than simply updating a laptop and rebooting it,” said Mackey.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds