SQL Injection Vulnerability in TeleControl Server Basic by Siemens
CVE-2025-31350

8.8HIGH

Key Information:

Vendor: Siemens
Status: TeleControl Server Basic
Vendor: CVE Published:; 16 April 2025

Summary

A SQL injection vulnerability has been discovered in the TeleControl Server Basic application, affecting all versions prior to 3.1.2.2. This vulnerability allows an attacker with authenticated access to exploit the 'UpdateBufferingSettings' method, potentially bypassing authorization controls. By accessing the application on port 8000, the attacker can read from and write to the database, executing code with the privileges of 'NT AUTHORITY\NetworkService'. This presents a substantial risk to the security and integrity of the application's data.

References

https://cert-portal.siemens.com/productcert/html/ssa-4434...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 16, 2025