Full Report
TeleControl Server Basic before V3.1.2.2 contains multiple SQL Injection vulnerabilities that could allow an attacker to read and write to the application’s DB, cause denial of service and execute code in an OS shell with limited “NT AUTHORITY” permissions. Siemens has conducted a root-cause analysis for potential SQL injection vulnerabilities and has identified the locations in the code base where the underlying legacy design pattern has been used in. TeleControl Server Basic V3.1.2.2 has fixed all occurrences in the affected product. Siemens has released a new version for TeleControl Server Basic and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple SQL Injection Vulnerabilities in TeleControl Server Basic
## CVE Details
- **CVE ID:** CVE-2025-27495, CVE-2025-27539, CVE-2025-27540, CVE-2025-29905, CVE-2025-30002, CVE-2025-30003, CVE-2025-30030, CVE-2025-30031, CVE-2025-30032, CVE-2025-31343, CVE-2025-31349 through CVE-2025-31353, CVE-2025-32475, CVE-2025-32822 through CVE-2025-32849, CVE-2025-32872 (and others).
- **CVSS Score:** 9.8 (Critical) / CVSS v4.0: 9.3
- **CWE:** CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
## Affected Systems
- **Products:** Siemens TeleControl Server Basic
- **Versions:** All versions prior to V3.1.2.2
- **Configurations:** Systems where the application is accessible via network ports (specifically port 8000/tcp).
## Vulnerability Description
TeleControl Server Basic contains multiple SQL injection vulnerabilities stemming from a legacy design pattern used throughout the codebase. These flaws exist in several internal methods, including `GetOverview`. Due to improper neutralization of special elements in SQL commands, an attacker can inject malicious queries into the backend database.
## Exploitation
- **Status:** PoC not currently mentioned as public; identified via root-cause analysis and coordinated disclosure.
- **Complexity:** Low
- **Attack Vector:** Network
- **Requirements:** For several of the specific CVEs (e.g., CVE-2025-32872), the attacker requires network access to port 8000 and "Low" privileges (authenticated user). However, the aggregate CVSS score of 9.8 suggests some variations may be exploitable without privileges.
## Impact
- **Confidentiality:** High (Full access to read application database records)
- **Integrity:** High (Ability to write to/modify the database and bypass authorization controls)
- **Availability:** High (Potential for Denial of Service or OS shell execution with `NT AUTHORITY\NetworkService` permissions via SQL-to-OS features)
## Remediation
### Patches
- **Update to TeleControl Server Basic V3.1.2.2** or later. This version addresses the legacy design pattern and fixes all identified occurrences of the vulnerability.
### Workarounds
- Siemens recommends limiting access to the application to trusted users and networks.
- Ensure the server is protected by a firewall and that port 8000 is not exposed to untrusted environments.
## Detection
- **Indicators of Compromise:** Monitor SQL logs for unusual query syntax, unexpected batch commands, or evidence of `xp_cmdshell` (or equivalent) usage.
- **Detection methods and tools:** Network security monitoring for suspicious traffic directed at port 8000. Use Vulnerability Scanners updated with the latest Siemens definitions to identify outdated versions.
## References
- Siemens Security Advisory SSA-443402: hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-443402[.]pdf
- Siemens ProductCERT: hxxps://www[.]siemens[.]com/cert/advisories