Full Report
TeleControl Server Basic V3.1 contains an information disclosure vulnerability that could allow an unauthenticated remote attacker to obtain password hashes of users and to login to and perform authenticated operations of the database service. Siemens has released a new version for TeleControl Server Basic V3.1 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Information Disclosure leading to Database Authentication Bypass in TeleControl Server Basic
## CVE Details
- CVE ID: CVE-2025-40765
- CVSS Score: 9.8 (Critical) (Based on v3.1)
- CWE: CWE-306: Missing Authentication for Critical Function
## Affected Systems
- Products: TeleControl Server Basic
- Versions: All versions $\ge$ V3.1.2.2 and $<$ V3.1.2.3
- Configurations: Not specified beyond the affected version range.
## Vulnerability Description
This is an Information Disclosure vulnerability stemming from a Missing Authentication for Critical Function weakness. An unauthenticated remote attacker can exploit this flaw to obtain the password hashes of users. Successful exploitation allows the attacker to subsequently log in and perform all authenticated operations against the underlying database service.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the high severity and direct access capability suggest high risk.
- Complexity: Low ($\text{AC:L, PR:N, UI:N}$) - The attack is network-accessible with low prerequisites.
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High (H) - Password hashes obtained, leading to account compromise.
- Integrity: High (H) - Authenticated operations on the database can be performed.
- Availability: High (H) - Potential for database or service disruption through authenticated misuse.
## Remediation
### Patches
- **Update to V3.1.2.3 or a later version.**
- Vendor Link for details: $\text{https://support.industry.siemens.com/cs/ww/en/view/109995705/}$
### Workarounds
- Restrict access to **port 8000** on the affected systems to **trusted IP addresses only**.
- Follow general security recommendations provided by Siemens, including adhering to operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise (IoCs):** Look for undocumented or unauthorized remote connections attempting to access services on port 8000, especially if the connection originates from untrusted external networks.
- **Detection Methods and Tools:** Network monitoring solutions analyzing traffic to port 8000 for unusual data retrieval patterns consistent with password hash harvesting.
## References
- Vendor Advisory: SSA-062309
- Siemens ProductCERT Advisories: $\text{https://www.siemens.com/cert/advisories}$
- General Security Guidelines: $\text{https://www.siemens.com/cert/operational-guidelines-industrial-security}$