A SQL injection vulnerability has been discovered in the KACO Meteor component of Siemens BluePlanet systems. The flaw arises from improper neutralization of special elements in SQL commands, allowing an attacker with authorized local network access to execute arbitrary SQL statements. Exploitation can elevate the attacker’s privileges within the system, potentially granting full control over the device. The weakness is categorized as CWE‑89.

The vulnerability affects every revision of the Siemens BluePlanet product family, including BluePlanet 100 NX3 M8, BluePlanet 100 TL3 GEN2, BluePlanet 105 TL3 and its GEN2 variants, BluePlanet 110 TL3, BluePlanet 125 NX3 M11, BluePlanet 125 TL3 and its GEN2 variants, BluePlanet 137 TL3, BluePlanet 150 TL3 and its GEN2 variants, BluePlanet 155 TL3 and its GEN2 variants, BluePlanet 165 TL3 and its GEN2 variants, BluePlanet 25.0 NX3 through 33.0 NX3, BluePlanet 3.0 NX3 to 20.0 NX3, BluePlanet 3.0‑5.0 NX1, BluePlanet 360 NX3 M6, BluePlanet 50.0 NX3‑60.0 NX3, BluePlanet 87.0 TL3 and its GEN2 variant, BluePlanet 92.0 TL3 and its GEN2 variant, BluePlanet gridsafe 110 TL3‑S, BluePlanet gridsafe 137 TL3‑S, BluePlanet gridsafe 92.0 TL3‑S, BluePlanet hybrid 10.0 TL3, and BluePlanet hybrid 6.0 NH3‑12.0 NH3. All listed models are affected regardless of firmware or software version.

The CVSS score of 5.9 indicates a moderate severity, reflecting the need for an authenticated attacker with local network presence. Because EPSS data is not available, the likelihood of exploitation cannot be precisely quantified, but the vulnerability is not currently listed in the CISA KEV catalog, which suggests no widespread public exploitation is documented. Nevertheless, the database-level elevation could lead to full control of the asset, compromising confidentiality, integrity, and availability within the local network. Based on the description, it is inferred that an attacker must have authorized local network access to exploit the flaw. Attackers would need to be authenticated or otherwise have legitimate credentials to interact with the KACO Meteor server; there is no mention of remote access.