SQL Injection Vulnerability in TeleControl Server Basic by Siemens

CVE-2025-31343

Summary

A SQL injection vulnerability has been discovered in TeleControl Server Basic, specifically in versions prior to V3.1.2.2. This flaw allows an authenticated remote attacker to exploit the 'UpdateTcmSettings' method, which is internally used by the application. If successfully executed, the attacker can bypass authorization controls, gaining unauthorized access to read from and manipulate the application's database. Furthermore, this vulnerability permits code execution under the 'NT AUTHORITY\NetworkService' account, potentially leading to severe security breaches. To exploit this vulnerability, an attacker must have access to port 8000 on a system running the vulnerable version of the application.

References