Full Report
TeleControl Server Basic before V3.1.2.2 contains a Improper Handling of Length Parameter Inconsistency Vulnerability that could allow an attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a denial of service condition. Siemens has released a new version for TeleControl Server Basic and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Improper Handling of Length Parameter Inconsistency in TeleControl Server Basic
## CVE Details
- CVE ID: CVE-2025-29931
- CVSS Score: 3.7 (CVSS v3.1, Low) / 6.3 (CVSS v4.0, Medium)
- CWE: CWE-130: Improper Handling of Length Parameter Inconsistency
## Affected Systems
- Products: TeleControl Server Basic
- Versions: All versions before V3.1.2.2
- Configurations: Successful exploitation is only possible in **redundant** Telecontrol Server Basic setups **and only if the connection between the redundant servers has been disrupted.**
## Vulnerability Description
The vulnerable component fails to properly validate a length field within a serialized message used for deserialization. This inconsistency allows an unauthenticated remote attacker to craft a malicious message that forces the application to allocate an exhaustive amount of memory, leading to a denial of service (DoS) condition due to memory exhaustion.
## Exploitation
- Status: PoC available is **not explicitly stated**, but the risk points to known technical weaknesses.
- Complexity: The vulnerability is dependent on a specific attack scenario (disrupted redundancy link), suggesting **Medium** complexity given the prerequisites.
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: No Impact (C:N)
- Integrity: No Impact (I:N)
- Availability: Low Impact (Partial DoS) (A:L)
## Remediation
### Patches
- Update to **V3.1.2.2 or a later version**.
- Vendor Patch Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109987362/
### Workarounds
- Disable Telecontrol Server Basic redundancy if it is not being used.
## Detection
- Detection methods are not explicitly provided, but monitoring network traffic for malformed serialized messages directed at the redundant server interface during periods of connection disruption would be applicable. Indicators of compromise would likely include sudden, excessive memory consumption by the TeleControl Server Basic process.
## References
- Vendor Advisory: SSA-395348
- Vendor Patch Information: hxxps://support.industry.siemens.com/cs/ww/en/view/109987362/
- General Security Guidelines: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security