TeleControl Server Basic before V3.1.2.2 contains multiple SQL Injection vulnerabilities that could allow an attacker to read and write to the application’s DB, cause denial of service and execute code in an OS shell with limited “NT AUTHORITY” permissions.
Siemens has conducted a root-cause analysis for potential SQL injection vulnerabilities and has identified the locations in the code base where the underlying legacy design pattern has been used in. TeleControl Server Basic V3.1.2.2 has fixed all occurrences in the affected product.
Siemens has released a new version for TeleControl Server Basic and recommends to update to the latest version.

https://cert-portal.siemens.com/productcert/html/ssa-443402.html