PT-2025-16947 · Unknown · Telecontrol Server Basic
Published
2025-04-17
·
Updated
2025-04-19
·
CVE-2025-29931
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
TeleControl Server Basic versions prior to 3.1.2.2
Description
A vulnerability has been identified in the product where it does not properly validate a length field in a serialized message, which is used to determine the amount of memory to be allocated for deserialization. This could allow an unauthenticated remote attacker to cause the application to allocate excessive amounts of memory, leading to a partial denial of service condition. Successful exploitation is only possible in redundant setups and if the connection between the redundant servers has been disrupted.
Recommendations
For versions prior to 3.1.2.2, update to version 3.1.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the deserialization function to minimize the risk of exploitation.
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Telecontrol Server Basic