CVE-2025-27495: 
Telecontrol Server Basic vulnerability analysis and mitigation

CVE-2025-27495 is a critical SQL injection vulnerability discovered in Siemens TeleControl Server Basic affecting all versions prior to V3.1.2.2. The vulnerability was disclosed on April 16, 2025, and is related to the internally used 'CreateTrace' method (Siemens Advisory, CISA Advisory).

The vulnerability exists in the 'CreateTrace' method of TeleControl Server Basic and allows SQL injection attacks. It has received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS v4.0 base score of 9.3 with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (Siemens Advisory).

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to bypass authorization controls, read from and write to the application's database, and execute code with 'NT AUTHORITY\NetworkService' permissions. The attack requires access to port 8000 on a system where a vulnerable version of the application is running (CISA Advisory, Security Online).

Siemens has released version V3.1.2.2 to address this vulnerability and recommends users to update to this version or later. As a temporary workaround, organizations should restrict access to port 8000 to trusted IP addresses only and follow Siemens' operational guidelines for Industrial Security (Siemens Advisory).

The vulnerability has gained significant attention in the industrial control systems security community, as it was part of a larger security advisory from CISA covering multiple ICS vulnerabilities. Security researchers have noted this as one of 66 SQL injection flaws discovered in TeleControl Server Basic, highlighting the critical nature of the vulnerability (Cyber Security News).