SQL Injection Vulnerability in TeleControl Server Basic by Siemens
CVE-2025-32835

8.7HIGH

Key Information:

Vendor: Siemens
Status: Telecontrol Server Basic
Vendor: CVE Published:; 16 April 2025

What is CVE-2025-32835?

A vulnerability exists in TeleControl Server Basic affecting all versions earlier than V3.1.2.2, allowing SQL injection through the 'UpdateConnectionVariableArchivingBuffering' method. This flaw could enable authenticated remote attackers to bypass authorization and gain unauthorized access to the database. Attackers with access to port 8000 of a vulnerable server may exploit this vulnerability to read, write, and execute commands within the database with elevated permissions associated with 'NT AUTHORITY\NetworkService'.

Affected Version(s)

TeleControl Server Basic 0

References

https://cert-portal.siemens.com/productcert/html/ssa-4434...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2025