Full Report
TeleControl Server Basic before V3.1.2.4 contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges. Siemens has released a new version for TeleControl Server Basic and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Local Privilege Escalation in TeleControl Server Basic
## CVE Details
- CVE ID: CVE-2025-40942
- CVSS Score: 8.8 (Critical based on CVSS v3.1) / 7.3 (High based on CVSS v4.0)
- CWE: CWE-250: Execution with Unnecessary Privileges
## Affected Systems
- Products: TeleControl Server Basic
- Versions: All versions prior to V3.1.2.4
- Configurations: Local access required.
## Vulnerability Description
The vulnerability is a local privilege escalation flaw within TeleControl Server Basic. Successful exploitation allows an attacker who already has local access to run arbitrary code with elevated (higher) privileges on the affected system.
## Exploitation
- Status: Not explicitly detailed; standard vulnerability disclosure context implies potential for exploitation.
- Complexity: Low (AC:L in CVSS 3.1 vector)
- Attack Vector: Local (AV:L)
## Impact
- Confidentiality: High (H)
- Integrity: High (H)
- Availability: High (H)
## Remediation
### Patches
- Update to **V3.1.2.4 or later version**.
- Vendor link for update: hxxps://support.industry.siemens.com/cs/ww/en/view/109997944/
### Workarounds
- No specific workarounds are detailed beyond general measures. Users are recommended to follow general security recommendations and operational guidelines.
## Detection
- No specific Indicators of Compromise (IOCs) provided in the summary.
- Detection should focus on monitoring for unexpected process execution or unauthorized privilege changes originating from local user sessions or compromised accounts on the server.
## References
- Vendor Advisory: SSA-192617
- Siemens ProductCERT Advisories: hxxps://www.siemens.com/cert/advisories
- Siemens Security Guidelines: hxxps://www.siemens.com/industrialsecurity; hxxps://www.siemens.com/cert/operational-guidelines-industrial-security