SQL Injection Vulnerability in TeleControl Server Basic by Siemens
CVE-2025-32843

8.7HIGH

Key Information:

Vendor: Siemens
Status: Telecontrol Server Basic
Vendor: CVE Published:; 16 April 2025

What is CVE-2025-32843?

A vulnerability has been discovered in Siemens TeleControl Server Basic that allows for SQL injection through the internally used 'LockUser' method. This flaw enables an authenticated remote attacker, capable of accessing the system's port 8000, to bypass authorization controls. Consequently, the attacker can read from and write to the application's database, and execute code with the permissions of 'NT AUTHORITY\NetworkService'. Addressing this vulnerability is critical to ensure the integrity and security of the application.

Affected Version(s)

TeleControl Server Basic 0

References

https://cert-portal.siemens.com/productcert/html/ssa-4434...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2025