Deserialization Vulnerability in TeleControl Server Basic V3.1
Act Now10SSA-454789Nov 12, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
TeleControl Server Basic V3.1 contains a deserialization vulnerability (CWE-502) in handling network messages. An unauthenticated attacker on the network can send specially crafted serialized objects that are deserialized without validation, leading to arbitrary code execution on the server with full system privileges. This affects all TeleControl Server Basic models and variants running V3.1 firmware prior to patch 3.1.2.1. Siemens has released version 3.1.2.1 as a security fix.
What this means
What could happen
An attacker on the network could execute arbitrary code on the TeleControl Server, potentially taking control of remote terminal unit (RTU) operations, modifying setpoints, or disrupting communication with field devices across your water or electric distribution network.
Who's at risk
Water and electric utilities using Siemens TeleControl Server Basic for remote monitoring and control of RTUs, substations, and field devices. This affects all model sizes (8-point through 5000-point variants) running V3.1 firmware.
How it could be exploited
An attacker sends a specially crafted network message containing malicious serialized objects to the TeleControl Server. The server deserializes the untrusted data without validation, allowing the attacker's code to execute with server privileges. No credentials are required.
Prerequisites
- Network access to TeleControl Server on its listening port (typically port 502 or proprietary SCADA protocol port)
- TeleControl Server V3.1 running on any variant (8 to 5000 point models) prior to version 3.1.2.1
remotely exploitableno authentication requiredlow complexityhigh CVSS score (10.0)actively developed (patch available)
Exploitability
Moderate exploit probability (EPSS 6.6%)
Affected products (13)
13 with fix
ProductAffected VersionsFix Status
PP TeleControl Server Basic 1000 to 5000 V3.1< V3.1.2.13.1.2.1
PP TeleControl Server Basic 256 to 1000 V3.1< V3.1.2.13.1.2.1
PP TeleControl Server Basic 32 to 64 V3.1< V3.1.2.13.1.2.1
PP TeleControl Server Basic 64 to 256 V3.1< V3.1.2.13.1.2.1
PP TeleControl Server Basic 8 to 32 V3.1< V3.1.2.13.1.2.1
TeleControl Server Basic 1000 V3.1< V3.1.2.13.1.2.1
TeleControl Server Basic 256 V3.1< V3.1.2.13.1.2.1
TeleControl Server Basic 32 V3.1< V3.1.2.13.1.2.1
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all TeleControl Server Basic V3.1 devices to firmware version 3.1.2.1 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8f85d78e-a30e-4592-842d-5c6bf959c9ed