SQL Injection Vulnerability in TeleControl Server Basic by Siemens
CVE-2025-29905

8.8HIGH

Key Information:

Vendor: Siemens
Status: TeleControl Server Basic
Vendor: CVE Published:; 16 April 2025

What is CVE-2025-29905?

A vulnerability exists in TeleControl Server Basic that allows for SQL injection through the 'RestoreFromBackup' method. This issue affects all versions prior to V3.1.2.2 and permits an authenticated remote attacker to bypass authorization controls. The attacker can exploit the vulnerability by accessing port 8000 on a system running a vulnerable version of the software, enabling them to read from and write to the application's database and execute code with elevated permissions.

References

https://cert-portal.siemens.com/productcert/html/ssa-4434...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2025

JSON