Primary

Context

Siemens TeleControl Server Basic SQL Injection Vulnerability Allowing Database Access and Code Execution

Vulnerability

Patched

A SQL injection vulnerability has been identified in Siemens TeleControl Server Basic, affecting all versions prior to V3.1.2.2. The vulnerability arises in the 'LockProjectCrossCommunications' method, allowing authenticated remote attackers to bypass authorization, manipulate the application's database, and execute code with 'NT AUTHORITY\NetworkService' permissions. Exploitation requires access to port 8000 on the vulnerable system.

Impact

Successful exploitation allows for unauthorized database access and manipulation, and execution of code in the operating system shell with limited 'NT AUTHORITY\NetworkService' permissions.

Remediation

Users are advised to update TeleControl Server Basic to version V3.1.2.2 or later. For additional guidance, consult the Siemens support page for TeleControl Server Basic.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

10.0

exploitability

4.9

remediation

7.9

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

10.0

exploitability

4.9

remediation

7.9

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Siemens TeleControl Server Basic SQL Injection Vulnerability Allowing Database Access and Code Execution

Vulnerability

Impact

Remediation

Affected Products

Siemens TeleControl Server Basic

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating