Siemens has released a critical security advisory addressing 66 high-severity SQL injection vulnerabilities impacting its TeleControl Server Basic platform.
According to the Siemens advisory, attackers could exploit these vulnerabilities to bypass authentication, access or manipulate database contents, and even execute code within the operating system shell with βNT AUTHORITY\NetworkServiceβ privileges. The issues stem from insecure legacy code patterns that have now been corrected.
βTeleControl Server Basic before V3.1.2.2 contains multiple SQL Injection vulnerabilities that could allow an attacker to read and write to the applicationβs DB, cause denial of service and execute code in an OS shell,β Siemens stated.
Each vulnerability is tracked with its own CVE identifier, and Siemens lists dozens of affected internal functionsβsuch as CreateTrace, VerifyUser, Authenticate, and RestoreFromBackup. All carry high CVSS scores:
CVE-2025-27495 (CVSS 9.8)β Exploitable via CreateTrace, allows unauthenticated remote code execution.CVE-2025-27539 / CVE-2025-27540 (CVSS 9.8)β Affect user authentication methods, risking full DB compromise.CVE-2025-29905 through CVE-2025-32870 β Target various internal update and management functions, all exploitable by authenticated attackers.Most of the CVEs score 8.8 or 9.8 on CVSS v3.1, and 8.7 or 9.3 on CVSS v4.0.
Siemens recommends users upgrade to version V3.1.2.2 or later, available at their support portal.
In the meantime, Siemens urges customers to:
Restrict access to port 8000 to only trusted IP addresses.Apply their operational industrial security guidelines.βAs a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms,β the advisory states.
The vulnerabilities affect components responsible for configuration, authentication, logging, project management, and database operationsβplacing both availability and integrity at risk.