CVE-2025-30003 – This SQL injection vulnerability in TeleControl... (How to Fix)

Q: How do I fix CVE-2025-30003?

1. Download V3.1.2.2 from Siemens portal. 2. Backup configuration and data. 3. Stop TeleControl Server Basic service. 4. Install update. 5. Restart service and verify functionality.

Q: What is the severity of CVE-2025-30003?

CVE-2025-30003 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in TeleControl Server Basic allows authenticated remote attackers to bypass authorization controls, read/write to the database, and execute code with NetworkService permissions. It affects all versions before V3.1.2.2. Attackers need access to port 8000 on systems running vulnerable versions.

📋 TL;DR

This SQL injection vulnerability in TeleControl Server Basic allows authenticated remote attackers to bypass authorization controls, read/write to the database, and execute code with NetworkService permissions. It affects all versions before V3.1.2.2. Attackers need access to port 8000 on systems running vulnerable versions.

💻 Affected Systems

Products:

TeleControl Server Basic

Versions: All versions < V3.1.2.2

Operating Systems: Windows (based on NT AUTHORITY\NetworkService reference)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires application to be running with vulnerable version and port 8000 accessible.

📦 What is this software?

Telecontrol Server Basic by Siemens

View all CVEs affecting Telecontrol Server Basic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with NetworkService privileges leading to lateral movement, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Database manipulation, credential theft, and unauthorized access to control systems data.

🟢

If Mitigated

Limited impact due to network segmentation and strict authentication controls preventing access to vulnerable port.

🌐 Internet-Facing: HIGH - Port 8000 exposed to internet provides direct attack surface for authenticated attackers.

🏢 Internal Only: HIGH - Internal attackers with network access can exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access but SQL injection is typically straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V3.1.2.2

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-443402.html

Restart Required: Yes

Instructions:

1. Download V3.1.2.2 from Siemens portal. 2. Backup configuration and data. 3. Stop TeleControl Server Basic service. 4. Install update. 5. Restart service and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

windows

Restrict access to port 8000/TCP to only trusted management networks

Windows Firewall: New-NetFirewallRule -DisplayName "Block TeleControl Port" -Direction Inbound -LocalPort 8000 -Protocol TCP -Action Block

Authentication Hardening

all

Implement strong authentication controls and monitor for suspicious login attempts

🧯 If You Can't Patch

Implement strict network access controls to limit access to port 8000 to only absolutely necessary systems
Deploy web application firewall (WAF) with SQL injection protection rules in front of the application

🔍 How to Verify

Check if Vulnerable:

Check TeleControl Server Basic version in application interface or installation directory. If version is below V3.1.2.2 and port 8000 is accessible, system is vulnerable.

Check Version:

Check application GUI or installation directory for version information

Verify Fix Applied:

Verify application version shows V3.1.2.2 or higher in the interface or about dialog.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed authentication attempts followed by successful login
Unexpected database access patterns

Network Indicators:

SQL injection patterns in traffic to port 8000
Unusual outbound connections from TeleControl Server process

SIEM Query:

source="telecontrol.log" AND ("sql" OR "database" OR "query") AND ("error" OR "exception" OR "malformed")

📊 Metadata

CVE ID: CVE-2025-30003

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.94% exploit probability (75.9th percentile)

Published: April 16, 2025

Last Updated: August 19, 2025

🔗 References

https://cert-portal.siemens.com/productcert/html/ssa-443402.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30003, you might also want to check these: