CRITICAL🇵🇱 Wersja polska

CVE-2025-27540

CVSS 9.3v4.0pub. 2025-04-16upd. 2025-08-19

A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'Authenticate' method. This could allow an unauthenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on. (ZDI-CAN-25913)

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Siemens Telecontrol Server Basic

    APP
    Siemens
    < 3.1.2.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2025-40765CRITICAL9.3PL ✓ten sam produkt

Ujawnienie haseł i nieautoryzowany dostęp do bazy danych w Siemens TeleControl Server Basic

CVE-2025-27495CRITICAL9.3PL ✓ten sam produkt

SQL Injection w Siemens TeleControl Server Basic — nieautoryzowany dostęp i RCE

CVE-2025-27539CRITICAL9.3PL ✓ten sam produkt

SQL Injection w Siemens TeleControl Server Basic – obejście autoryzacji i RCE

CVE-2024-44102CRITICAL10.0PL ✓ten sam produkt

Siemens TeleControl Server Basic — niebezpieczna deserializacja umożliwiająca RCE z uprawnieniami SYSTEM

CVE-2025-40942HIGH7.3ten sam produkt

A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected applicatio...