CVE-2025-30002SQL Injection in Siemens Telecontrol Server Basic

CWE-89SQL InjectionCWE-401Missing Release of Memory after Effective Lifetime4 documents4 sources
Severity
8.7HIGHNVD
EPSS
0.9%
top 23.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Siemens Telecontrol Server Basic
Timeline
PublishedApr 16

Description

A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateConnectionVariables' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system wh

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5siemens/telecontrol_server_basic< V3.1.2.2
NVDsiemens/telecontrol< 3.1.2.2

🔴Vulnerability Details

2
GHSA
GHSA-j6vg-xxfm-6g75: A vulnerability has been identified in TeleControl Server Basic (All versions < V32025-04-16
CVEList
CVE-2025-30002: A vulnerability has been identified in TeleControl Server Basic (All versions < V32025-04-16

📋Vendor Advisories

1
Microsoft
An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments aka CID-fb18802a338b2021-04-13
CVE-2025-30002 — SQL Injection in Siemens | cvebase