{"id":32886,"date":"2025-04-28T04:42:47","date_gmt":"2025-04-28T04:42:47","guid":{"rendered":""},"modified":"2025-09-16T12:32:28","modified_gmt":"2025-09-16T18:32:28","slug":"cve-2025-32855-sql-injection-vulnerability-in-telecontrol-server-basic","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-32855-sql-injection-vulnerability-in-telecontrol-server-basic\/","title":{"rendered":"CVE-2025-32855: SQL Injection Vulnerability in TeleControl Server Basic<\/strong>"},"content":{"rendered":"

Overview<\/strong><\/p>\n

CVE-2025-32855 is a significant cybersecurity vulnerability affecting all versions of TeleControl Server Basic prior to V3.1.2.2. This vulnerability is a type of SQL Injection, a common and dangerous security flaw that can be exploited by an attacker to manipulate the application’s database. It was identified that the ‘UnlockOpcSettings’ method, internally used by the application, is susceptible to this SQL injection<\/a> attack. The vulnerability is particularly concerning because it allows an authenticated attacker to bypass authorization controls, read from, write to the application’s database, and even execute code<\/a> with “NT AUTHORITYNetworkService” permissions. Given these capabilities, this vulnerability could potentially lead to system compromise or data<\/a> leakage.<\/p>\n

Vulnerability Summary<\/strong><\/p>\n

CVE ID: CVE-2025-32855
\nSeverity: High (8.8 CVSS Score)
\nAttack Vector: Network
\nPrivileges Required: Low (Authenticated Users<\/a>)
\nUser Interaction: None
\nImpact: Bypass of authorization controls, potential system<\/a> compromise and data leakage<\/p>\n

Affected Products<\/strong><\/p>

\r\n

\r\n \r\n \"Ameeba\r\n <\/a>\r\n A new way to communicate\r\n <\/h2>\r\n\r\n

\r\n Ameeba Chat is built on encrypted identity, not personal profiles.\r\n <\/p>\r\n\r\n

\r\n Message, call, share files, and coordinate with identities kept separate.\r\n <\/p>\r\n\r\n