Siemens SINEC INS: Six Vulnerabilities Disclosed, Including High-Severity Flaws
Six vulnerabilities were disclosed on June 9, 2026, affecting Siemens SINEC INS and other Siemens products, with several rated as High severity.
Key findings
- Six vulnerabilities disclosed on June 9, 2026, impact Siemens SINEC INS and other Siemens products.
- High-severity flaws (up to CVSSv3 8.8) include unrestricted file system access and shell command injection.
- CVE-2026-46748 and CVE-2026-46746 allow for significant system compromise in SINEC INS.
- CVE-2026-46749 points to weak password hashing with a hardcoded salt in SINEC INS.
- Affected SINEC INS versions are prior to V1.0 SP2 Update 6; a patch is available.
- Other affected products include SIMATIC WinCC Unified PC Runtime and SIPROTEC 5 devices.
Siemens is addressing a cluster of six vulnerabilities disclosed on June 9, 2026, impacting its SINEC INS platform and other industrial control systems. The disclosures include several high-severity flaws, with CVSS scores reaching up to 8.8, posing significant risks to operational environments.
The most critical issues stem from insecure handling of user input and authentication mechanisms within SINEC INS. CVE-2026-46748, rated High (CVSSv3 8.8), involves a binary with the cap_dac_override capability, granting unrestricted file system access. This could allow an attacker to read or modify sensitive system files.
Another High severity vulnerability, CVE-2026-46746 (CVSSv3 8.8), also affects the /api/sftp/uploadFiles endpoint in SINEC INS. This flaw permits the injection of shell command payloads through crafted directory names, which are then stored and executed, potentially leading to remote code execution.
Further compounding the security concerns for SINEC INS is CVE-2026-46747 (Medium, CVSSv3 4.3). This vulnerability arises from improper sanitization of path input in the GET /api/sftp/uploadFiles endpoint, enabling path traversal. Attackers can exploit this to access unintended file system locations.
Additionally, CVE-2026-46749 (High, CVSSv3 7.5) highlights a weakness in the password hashing implementation within SINEC INS. The system uses a static, hardcoded salt and an insufficient number of iterations, making it vulnerable to brute-force attacks and allowing attackers to potentially recover user credentials.
The batch also includes CVE-2026-24349, a High severity vulnerability affecting multiple versions of SIMATIC WinCC Unified PC Runtime, and CVE-2025-40808, a Medium severity flaw impacting various SIPROTEC 5 devices. Specific details on the root cause for these two vulnerabilities were not fully elaborated in the initial disclosures but are noted as affecting critical industrial components.
All identified vulnerabilities in SINEC INS affect versions prior to V1.0 SP2 Update 6. Siemens has released V1.0 SP2 Update 6 as a patch to address these issues. Users of affected Siemens products are strongly advised to update to the latest patched versions to mitigate these risks. The coordinated disclosure of these vulnerabilities underscores the importance of regular security assessments and timely patching within industrial control systems.