Description
A vulnerability has been identified in blueplanet 100 NX3 M8 (All versions), blueplanet 100 TL3 GEN2 (All versions), blueplanet 105 TL3 (All versions), blueplanet 105 TL3 GEN2 (All versions), blueplanet 110 TL3 (All versions), blueplanet 125 NX3 M10 (All versions), blueplanet 125 TL3 (All versions), blueplanet 125 TL3 GEN2 (All versions), blueplanet 137 TL3 (All versions), blueplanet 150 TL3 (All versions), blueplanet 150 TL3 GEN2 (All versions), blueplanet 155 TL3 (All versions), blueplanet 155 TL3 GEN2 (All versions), blueplanet 165 TL3 (All versions), blueplanet 165 TL3 GEN2 (All versions), blueplanet 25.0 NX3-33.0 NX3 (All versions), blueplanet 3.0 NX3-20.0 NX3 (All versions), blueplanet 3.0-5.0 NX1 (All versions), blueplanet 360 NX3 M6 (All versions), blueplanet 50.0 NX3-60.0 NX3 (All versions), blueplanet 87.0 TL3 (All versions), blueplanet 87.0 TL3 GEN2 (All versions), blueplanet 92.0 TL3 (All versions), blueplanet 92.0 TL3 GEN2 (All versions), blueplanet gridsave 110 TL3-S (All versions), blueplanet gridsave 137 TL3-S (All versions), blueplanet gridsave 92.0 TL3-S (All versions), blueplanet hybrid 10.0 TL3 (All versions), blueplanet hybrid 6.0 NH3-12.0 NH3 (All versions). Improper neutralization of special elements used in an sql command ('sql injection') in KACO Meteor server allows an authorized attacker to elevate privileges over a local network.
Published: 2026-05-12
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements used in an SQL command ('SQL injection') in the KACO Meteor server on Siemens BluePlanet systems allows an authorized attacker with local network access to elevate privileges. By exploiting this flaw, the attacker could gain full control over the affected device, impacting confidentiality, integrity, and availability. The vulnerability is a classic SQL injection, classified as CWE‑89.

Affected Systems

The vulnerability affects every revision of the Siemens BluePlanet product family, including BluePlanet 100 NX3 M8, BluePlanet 100 TL3 GEN2, BluePlanet 105 TL3 and its GEN2 variants, BluePlanet 110 TL3, BluePlanet 125 NX3 M10, BluePlanet 125 TL3 and its GEN2 variants, BluePlanet 137 TL3, BluePlanet 150 TL3 and its GEN2 variants, BluePlanet 155 TL3 and its GEN2 variants, BluePlanet 165 TL3 and its GEN2 variants, BluePlanet 25.0 NX3-33.0 NX3, BluePlanet 3.0 NX3-20.0 NX3, BluePlanet 3.0-5.0 NX1, BluePlanet 360 NX3 M6, BluePlanet 50.0 NX3-60.0 NX3, BluePlanet 87.0 TL3 and its GEN2 variant, BluePlanet 92.0 TL3 and its GEN2 variant, BluePlanet gridsave 110 TL3-S, BluePlanet gridsave 137 TL3-S, BluePlanet gridsave 92.0 TL3-S, BluePlanet hybrid 10.0 TL3, and BluePlanet hybrid 6.0 NH3-12.0 NH3. All listed models are affected regardless of firmware or software version.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity, reflecting the need for an authenticated attacker with local network presence. Because EPSS is available and is very low (<1%, score approximately 0.00021), the likelihood of exploitation is very low, but the vulnerability is not currently listed in the CISA KEV catalog, which suggests no widespread public exploitation is documented. Nevertheless, the database-level elevation could lead to full control of the asset, compromising confidentiality, integrity, and availability within the local network. Based on the description, it is inferred that an attacker must have authorized local network access to exploit the flaw. Attackers would need to be authenticated or otherwise have legitimate credentials to interact with the KACO Meteor server; there is no mention of remote access.

Generated by OpenCVE AI on May 29, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Siemens patch (SSA‑545643) to all affected BluePlanet units
  • Restrict and audit user accounts on the KACO Meteor server, ensuring only necessary privileged users have access
  • Enable network segmentation to isolate the BluePlanet devices from critical infrastructure and monitor for anomalous database queries

Generated by OpenCVE AI on May 29, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 17:00:00 +0000

Type Values Removed Values Added
Title KACO Meteor SQL Injection Enables Local Privilege Escalation

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in blueplanet 100 NX3 M8 (All versions), blueplanet 100 TL3 GEN2 (All versions), blueplanet 105 TL3 (All versions), blueplanet 105 TL3 GEN2 (All versions), blueplanet 110 TL3 (All versions), blueplanet 125 NX3 M11 (All versions), blueplanet 125 TL3 (All versions), blueplanet 125 TL3 GEN2 (All versions), blueplanet 137 TL3 (All versions), blueplanet 150 TL3 (All versions), blueplanet 150 TL3 GEN2 (All versions), blueplanet 155 TL3 (All versions), blueplanet 155 TL3 GEN2 (All versions), blueplanet 165 TL3 (All versions), blueplanet 165 TL3 GEN2 (All versions), blueplanet 25.0 NX3-33.0 NX3 (All versions), blueplanet 3.0 NX3-20.0 NX3 (All versions), blueplanet 3.0-5.0 NX1 (All versions), blueplanet 360 NX3 M6 (All versions), blueplanet 50.0 NX3-60.0 NX3 (All versions), blueplanet 87.0 TL3 (All versions), blueplanet 87.0 TL3 GEN2 (All versions), blueplanet 92.0 TL3 (All versions), blueplanet 92.0 TL3 GEN2 (All versions), blueplanet gridsafe 110 TL3-S (All versions), blueplanet gridsafe 137 TL3-S (All versions), blueplanet gridsafe 92.0 TL3-S (All versions), blueplanet hybrid 10.0 TL3 (All versions), blueplanet hybrid 6.0 NH3-12.0 NH3 (All versions). Improper neutralization of special elements used in an sql command ('sql injection') in KACO Meteor server allows an authorized attacker to elevate privileges over a local network. A vulnerability has been identified in blueplanet 100 NX3 M8 (All versions), blueplanet 100 TL3 GEN2 (All versions), blueplanet 105 TL3 (All versions), blueplanet 105 TL3 GEN2 (All versions), blueplanet 110 TL3 (All versions), blueplanet 125 NX3 M10 (All versions), blueplanet 125 TL3 (All versions), blueplanet 125 TL3 GEN2 (All versions), blueplanet 137 TL3 (All versions), blueplanet 150 TL3 (All versions), blueplanet 150 TL3 GEN2 (All versions), blueplanet 155 TL3 (All versions), blueplanet 155 TL3 GEN2 (All versions), blueplanet 165 TL3 (All versions), blueplanet 165 TL3 GEN2 (All versions), blueplanet 25.0 NX3-33.0 NX3 (All versions), blueplanet 3.0 NX3-20.0 NX3 (All versions), blueplanet 3.0-5.0 NX1 (All versions), blueplanet 360 NX3 M6 (All versions), blueplanet 50.0 NX3-60.0 NX3 (All versions), blueplanet 87.0 TL3 (All versions), blueplanet 87.0 TL3 GEN2 (All versions), blueplanet 92.0 TL3 (All versions), blueplanet 92.0 TL3 GEN2 (All versions), blueplanet gridsave 110 TL3-S (All versions), blueplanet gridsave 137 TL3-S (All versions), blueplanet gridsave 92.0 TL3-S (All versions), blueplanet hybrid 10.0 TL3 (All versions), blueplanet hybrid 6.0 NH3-12.0 NH3 (All versions). Improper neutralization of special elements used in an sql command ('sql injection') in KACO Meteor server allows an authorized attacker to elevate privileges over a local network.

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Siemens
Siemens blueplanet 100 Nx3 M8
Siemens blueplanet 100 Tl3 Gen2
Siemens blueplanet 105 Tl3
Siemens blueplanet 105 Tl3 Gen2
Siemens blueplanet 110 Tl3
Siemens blueplanet 125 Nx3 M11
Siemens blueplanet 125 Tl3
Siemens blueplanet 125 Tl3 Gen2
Siemens blueplanet 137 Tl3
Siemens blueplanet 150 Tl3
Siemens blueplanet 150 Tl3 Gen2
Siemens blueplanet 155 Tl3
Siemens blueplanet 155 Tl3 Gen2
Siemens blueplanet 165 Tl3
Siemens blueplanet 165 Tl3 Gen2
Siemens blueplanet 25.0 Nx3-33.0 Nx3
Siemens blueplanet 3.0-5.0 Nx1
Siemens blueplanet 3.0 Nx3-20.0 Nx3
Siemens blueplanet 360 Nx3 M6
Siemens blueplanet 50.0 Nx3-60.0 Nx3
Siemens blueplanet 87.0 Tl3
Siemens blueplanet 87.0 Tl3 Gen2
Siemens blueplanet 92.0 Tl3
Siemens blueplanet 92.0 Tl3 Gen2
Siemens blueplanet Gridsafe 110 Tl3-s
Siemens blueplanet Gridsafe 137 Tl3-s
Siemens blueplanet Gridsafe 92.0 Tl3-s
Siemens blueplanet Hybrid 10.0 Tl3
Siemens blueplanet Hybrid 6.0 Nh3-12.0 Nh3
Vendors & Products Siemens
Siemens blueplanet 100 Nx3 M8
Siemens blueplanet 100 Tl3 Gen2
Siemens blueplanet 105 Tl3
Siemens blueplanet 105 Tl3 Gen2
Siemens blueplanet 110 Tl3
Siemens blueplanet 125 Nx3 M11
Siemens blueplanet 125 Tl3
Siemens blueplanet 125 Tl3 Gen2
Siemens blueplanet 137 Tl3
Siemens blueplanet 150 Tl3
Siemens blueplanet 150 Tl3 Gen2
Siemens blueplanet 155 Tl3
Siemens blueplanet 155 Tl3 Gen2
Siemens blueplanet 165 Tl3
Siemens blueplanet 165 Tl3 Gen2
Siemens blueplanet 25.0 Nx3-33.0 Nx3
Siemens blueplanet 3.0-5.0 Nx1
Siemens blueplanet 3.0 Nx3-20.0 Nx3
Siemens blueplanet 360 Nx3 M6
Siemens blueplanet 50.0 Nx3-60.0 Nx3
Siemens blueplanet 87.0 Tl3
Siemens blueplanet 87.0 Tl3 Gen2
Siemens blueplanet 92.0 Tl3
Siemens blueplanet 92.0 Tl3 Gen2
Siemens blueplanet Gridsafe 110 Tl3-s
Siemens blueplanet Gridsafe 137 Tl3-s
Siemens blueplanet Gridsafe 92.0 Tl3-s
Siemens blueplanet Hybrid 10.0 Tl3
Siemens blueplanet Hybrid 6.0 Nh3-12.0 Nh3

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
Title KACO Meteor SQL Injection Enables Local Privilege Escalation

Tue, 12 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in blueplanet 100 NX3 M8 (All versions), blueplanet 100 TL3 GEN2 (All versions), blueplanet 105 TL3 (All versions), blueplanet 105 TL3 GEN2 (All versions), blueplanet 110 TL3 (All versions), blueplanet 125 NX3 M11 (All versions), blueplanet 125 TL3 (All versions), blueplanet 125 TL3 GEN2 (All versions), blueplanet 137 TL3 (All versions), blueplanet 150 TL3 (All versions), blueplanet 150 TL3 GEN2 (All versions), blueplanet 155 TL3 (All versions), blueplanet 155 TL3 GEN2 (All versions), blueplanet 165 TL3 (All versions), blueplanet 165 TL3 GEN2 (All versions), blueplanet 25.0 NX3-33.0 NX3 (All versions), blueplanet 3.0 NX3-20.0 NX3 (All versions), blueplanet 3.0-5.0 NX1 (All versions), blueplanet 360 NX3 M6 (All versions), blueplanet 50.0 NX3-60.0 NX3 (All versions), blueplanet 87.0 TL3 (All versions), blueplanet 87.0 TL3 GEN2 (All versions), blueplanet 92.0 TL3 (All versions), blueplanet 92.0 TL3 GEN2 (All versions), blueplanet gridsafe 110 TL3-S (All versions), blueplanet gridsafe 137 TL3-S (All versions), blueplanet gridsafe 92.0 TL3-S (All versions), blueplanet hybrid 10.0 TL3 (All versions), blueplanet hybrid 6.0 NH3-12.0 NH3 (All versions). Improper neutralization of special elements used in an sql command ('sql injection') in KACO Meteor server allows an authorized attacker to elevate privileges over a local network.
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H'}

cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Siemens Blueplanet 100 Nx3 M8 Blueplanet 100 Tl3 Gen2 Blueplanet 105 Tl3 Blueplanet 105 Tl3 Gen2 Blueplanet 110 Tl3 Blueplanet 125 Nx3 M11 Blueplanet 125 Tl3 Blueplanet 125 Tl3 Gen2 Blueplanet 137 Tl3 Blueplanet 150 Tl3 Blueplanet 150 Tl3 Gen2 Blueplanet 155 Tl3 Blueplanet 155 Tl3 Gen2 Blueplanet 165 Tl3 Blueplanet 165 Tl3 Gen2 Blueplanet 25.0 Nx3-33.0 Nx3 Blueplanet 3.0-5.0 Nx1 Blueplanet 3.0 Nx3-20.0 Nx3 Blueplanet 360 Nx3 M6 Blueplanet 50.0 Nx3-60.0 Nx3 Blueplanet 87.0 Tl3 Blueplanet 87.0 Tl3 Gen2 Blueplanet 92.0 Tl3 Blueplanet 92.0 Tl3 Gen2 Blueplanet Gridsafe 110 Tl3-s Blueplanet Gridsafe 137 Tl3-s Blueplanet Gridsafe 92.0 Tl3-s Blueplanet Hybrid 10.0 Tl3 Blueplanet Hybrid 6.0 Nh3-12.0 Nh3
cve-icon MITRE

Status: PUBLISHED

Assigner: siemens

Published:

Updated: 2026-05-29T13:03:47.049Z

Reserved: 2026-04-17T11:25:13.214Z

Link: CVE-2026-41125

cve-icon Vulnrichment

Updated: 2026-05-12T12:41:56.398Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T10:16:46.057

Modified: 2026-05-29T14:16:26.890

Link: CVE-2026-41125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T16:45:03Z

Weaknesses