SQL Injection Vulnerability in TeleControl Server Basic by Siemens
CVE-2025-30003
8.8HIGH
Summary
A vulnerability exists in the TeleControl Server Basic application, affecting all versions prior to 3.1.2.2. This issue arises from improper handling of the 'UpdateProjectConnections' method, which is susceptible to SQL injection. An authenticated attacker could exploit this flaw to bypass authorization mechanisms, granting them unauthorized access to the database. This access could allow the attacker to not only read sensitive data but also write or execute commands with elevated privileges, specifically under the 'NT AUTHORITY\NetworkService' context. For successful exploitation, the attacker must have access to port 8000 on a system running a vulnerable version of the software.
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published