Massive number of SQL Injection Vulnerabilities reported Siemens TeleControl Server Basic
Take action: If you are using TeleControl Server Basic, make sure it's isolated from the internet and accessible only from trusted networks. Restrict access to port 8000 only to trusted IP addresses, and plan a quick patch cycle. The list of vulnerabilities is huge, and any isolation will eventually be compromised through phishing, malware or a disgruntled employee. So patch your TeleControl.
Learn More
Siemens has disclosed a massive list of security vulnerabilities in their TeleControl Server Basic product and CISA is releasing an urgent security advisory ICSA-25-112-01.
This industrial control system software is widely deployed across critical infrastructure sectors including Energy, Water and Wastewater Systems, and Transportation Systems worldwide.
A total of 67 SQL injection vulnerabilities have been identified in Siemens TeleControl Server Basic, affecting versions prior to V3.1.2.2. The vulnerabilities stem from improper neutralization of special elements used in SQL commands throughout numerous internal methods of the application.
These SQL injection flaws can be exploited by attackers to:
- ead from and write to the application's database
- Cause denial-of-service conditions
- Execute code with "NT AUTHORITY\NetworkService" permissions
- Bypass authorization controls
Critical vulnerabilities
- CVE-2025-27495 (CVSS score 9.3) - Affects the 'CreateTrace' method and allows unauthenticated remote attackers to bypass authorization controls
- CVE-2025-27539 (CVSS score 9.3) - Affects the 'VerifyUser' method and allows unauthenticated remote attackers to bypass authorization controls
- CVE-2025-27540 (CVSS score 9.3) - Affects the 'Authenticate' method and allows unauthenticated remote attackers to bypass authorization controls
The remaining 64 vulnerabilities are high severity SQL injection issues (CVSS v4 score 8.7) that require authenticated access:
- CVE-2025-29905 - Affects 'RestoreFromBackup' method
- CVE-2025-30002 - Affects 'UpdateConnectionVariables' method
- CVE-2025-30003 - Affects 'UpdateProjectConnections' method
- CVE-2025-30030 - Affects 'ImportDatabase' method
- CVE-2025-30031 - Affects 'UpdateUsers' method
- CVE-2025-30032 - Affects 'UpdateDatabaseSettings' method
- CVE-2025-31343 - Affects 'UpdateTcmSettings' method
- CVE-2025-31349 - Affects 'UpdateSmtpSettings' method
- CVE-2025-31350 - Affects 'UpdateBufferingSettings' method
- CVE-2025-31351 - Affects 'CreateProject' method
- CVE-2025-31352 - Affects 'UpdateGateways' method
- CVE-2025-31353 - Affects 'UpdateOpcSettings' method
- CVE-2025-32475 - Affects 'UpdateProject' method
- CVE-2025-32822 - Affects 'DeleteProject' method
- CVE-2025-32823 - Affects 'LockProject' method
- CVE-2025-32824 - Affects 'UnlockProject' method
- CVE-2025-32825 - Affects 'GetProjects' method
- CVE-2025-32826 - Affects 'GetActiveProjects' method
- CVE-2025-32827 - Affects 'ActivateProject' method
- CVE-2025-32828 - Affects 'UpdateProjectCrossCommunications' method
- CVE-2025-32829 - Affects 'LockProjectCrossCommunications' method
- CVE-2025-32830 - Affects 'UnlockProject' method (different from CVE-2025-32824)
- CVE-2025-32831 - Affects 'UpdateProjectUserRights' method
- CVE-2025-32832 - Affects 'LockProjectUserRights' method
- CVE-2025-32833 - Affects 'UnlockProjectUserRights' method
- CVE-2025-32834 - Affects 'UpdateConnectionVariablesWithImport' method
- CVE-2025-32835 - Affects 'UpdateConnectionVariableArchivingBuffering' method
- CVE-2025-32836 - Affects 'GetConnectionVariables' method
- CVE-2025-32837 - Affects 'GetActiveConnectionVariables' method
- CVE-2025-32838 - Affects 'ImportConnectionVariables' method
- CVE-2025-32839 - Affects 'GetGateways' method
- CVE-2025-32840 - Affects 'LockGateway' method
- CVE-2025-32841 - Affects 'UnlockGateway' method
- CVE-2025-32842 - Affects 'GetUsers' method
- CVE-2025-32843 - Affects 'LockUser' method
- CVE-2025-32844 - Affects 'UnlockUser' method
- CVE-2025-32845 - Affects 'UpdateGeneralSettings' method
- CVE-2025-32846 - Affects 'LockGeneralSettings' method
- CVE-2025-32847 - Affects 'UnlockGeneralSettings' method
- CVE-2025-32848 - Affects 'LockSmtpSettings' method
- CVE-2025-32849 - Affects 'UnlockSmtpSettings' method
- CVE-2025-32850 - Affects 'LockTcmSettings' method
- CVE-2025-32851 - Affects 'UnlockTcmSettings' method
- CVE-2025-32852 - Affects 'LockDatabaseSettings' method
- CVE-2025-32853 - Affects 'UnlockDatabaseSettings' method
- CVE-2025-32854 - Affects 'LockOpcSettings' method
- CVE-2025-32855 - Affects 'UnlockOpcSettings' method
- CVE-2025-32856 - Affects 'LockBufferingSettings' method
- CVE-2025-32857 - Affects 'UnlockBufferingSettings' method
- CVE-2025-32858 - Affects 'UpdateWebServerGatewaySettings' method
- CVE-2025-32859 - Affects 'LockWebServerGatewaySettings' method
- CVE-2025-32860 - Affects 'UnlockWebServerGatewaySettings' method
- CVE-2025-32861 - Affects 'UpdateTraceLevelSettings' method
- CVE-2025-32862 - Affects 'LockTraceLevelSettings' method
- CVE-2025-32863 - Affects 'UnlockTraceLevelSettings' method
- CVE-2025-32864 - Affects 'GetSettings' method
- CVE-2025-32865 - Affects 'CreateLog' method
- CVE-2025-32866 - Affects 'GetLogs' method
- CVE-2025-32867 - Affects 'CreateBackup' method
- CVE-2025-32868 - Affects 'ExportCertificate' method
- CVE-2025-32869 - Affects 'ImportCertificate' method
- CVE-2025-32870 - Affects 'GetTraces' method
- CVE-2025-32871 - Affects 'MigrateDatabase' method
- CVE-2025-32872 - Affects 'GetOverview' method
Siemens has provided the following mitigations:
- Update to TeleControl Server Basic V3.1.2.2 or later
- Restrict access to port 8000 on affected systems to trusted IP addresses only
CISA further recommends:
- Minimizing network exposure for all control system devices
- Placing control systems behind firewalls and isolating them from business networks
- Using secure methods such as VPNs when remote access is required
According to CISA, no known public exploitation specifically targeting these vulnerabilities has been reported at this time.
