SQL Injection Vulnerability in TeleControl Server Basic by Siemens
CVE-2025-32831

8.7HIGH

Key Information:

Vendor
Siemens
Status
Telecontrol Server Basic
Vendor
CVE Published:
16 April 2025

Summary

A vulnerability has been detected in TeleControl Server Basic, affecting all versions prior to 3.1.2.2. This vulnerability allows an authenticated remote attacker to perform SQL injection via the 'UpdateProjectUserRights' method. If exploited, the attacker can bypass authorization controls to gain unauthorized access to the application's database, allowing them to read and write data as well as execute code with elevated privileges under 'NT AUTHORITY\NetworkService'. An attack is feasible if the attacker has access to port 8000 on a system running the affected application.

Affected Version(s)

TeleControl Server Basic 0

References

https://cert-portal.siemens.com/productcert/html/ssa-4434...

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.
CVE-2025-32831 : SQL Injection Vulnerability in TeleControl Server Basic by Siemens | SecurityVulnerability.io