CVE-2025-29931
low-risk
Published 2025-04-17
A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected product does not properly validate a length field in a serialized message which it uses to determine the amount of memory to be allocated for deserialization. This could allow an unauthenticated remote attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a partial denial of service condition. Successful exploitation is only possible in redundant Telecontrol Server Basic setups and only if the connection between the redundant servers has been disrupted.
Do I need to act?
-
0.35% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10
Low
NETWORK
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (1)
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-395348.html
19
/ 100
low-risk
Severity
13/34 · Low
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal