SQL Injection Vulnerability in TeleControl Server Basic by Siemens
CVE-2025-32827

8.8HIGH

Key Information:

Vendor: Siemens
Status: TeleControl Server Basic
Vendor: CVE Published:; 16 April 2025

Summary

A SQL injection vulnerability exists in TeleControl Server Basic, affecting all versions prior to 3.1.2.2. This vulnerability arises from improper handling of requests to the 'ActivateProject' method. An authenticated remote attacker could exploit this flaw to bypass authorization controls, allowing them to read and write to the database while executing commands with 'NT AUTHORITY\NetworkService' privileges. Successful exploitation requires network access to port 8000 of the vulnerable application.

References

https://cert-portal.siemens.com/productcert/html/ssa-4434...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 16, 2025