Siemens TeleControl Server Basic V3.1 Insecure Deserialization Vulnerability (CVSS 10.0)

### SSA-454789: Deserialization Vulnerability in TeleControl Server Basic V3.1 #### Key Information from the Webpage: 1. **Publication Date:** - 2024-11-12 2. **Last Update:** - 2024-11-12 3. **Current Version:** - V1.0 4. **CVSS v3.1 Base Score:** - 10.0 5. **CVSS v4.0 Base表 Score:** - 10.0 6. **Summary:** - TeleControl Server Basic V3.1 contains a deserialization vulnerability that could allow an unauthenticated attacker to execute arbitrary code on the device. 7. **Affected Products and Solution:** - **Affected Product and Versions:** TeleControl Server Basic V3.1 - **Remediation:** Update to V3.1.2.1 or later version. See further recommendations from section Workarounds and Mitigations. 8. **Workarounds and Mitigations:** - Disable redundancy, if not used. - Restrict access to the affected systems to trusted IP addresses only. 9. **General Security Recommendations:** - Siemens recommends to protect network access to devices with appropriate mechanisms. - Configure the environment according to Siemens' operational guidelines for Industrial Security. - Follow the recommendations in the product manuals. 10. **Product Description:** - Describes all vulnerabilities (CVE-IDs) addressed in this security advisory. 11. **Vulnerability Description:** - The affected system allows remote users to send maliciously crafted objects. Due to insecure deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges. 12. **Acknowledgments:** - Siemens thanks Tenable for coordinated disclosure. 13. **Additional Information:** - Contact Siemens ProductCERT for further inquiries on security vulnerabilities in Siemens products and solutions. 14. **History Data:** - V1.0 (2024-11-12): Publication Date 15. **Terms of Use:** - The use of Siemens Security Advisories is subject to the terms and conditions listed on:

Goal Reached Thanks to every supporter — we hit 100%!

Siemens TeleControl Server Basic V3.1 Insecure Deserialization Vulnerability (CVSS 10.0)