CVE-2026-46746

Vulnerability

A vulnerability exists in SINEC INS, affecting all versions prior to V1.0 SP2 Update 6. The /api/sftp/uploadFiles endpoint does not properly sanitize user-supplied directory names, allowing for the injection of shell command payloads. These commands are stored and subsequently executed when directory listings are retrieved.

Exploitation

An authenticated remote attacker can exploit this vulnerability by crafting a directory name containing shell command payloads. This payload is stored when uploading files via the SFTP endpoint. The commands are then executed when the attacker triggers a directory listing operation.

Impact

Successful exploitation allows an authenticated remote attacker to execute arbitrary commands on the underlying operating system. These commands will run with the privileges of the sinecins service user, potentially leading to unauthorized system access or modification.

Mitigation

Siemens has released SINEC INS V1.0 SP2 Update 6 as a fix for this vulnerability. Users are advised to update to V1.0 SP2 Update 6 or a later version. Further details and download links can be found in the Siemens advisory [1].