VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2026-46749

CVE-2026-46749

Description

SINEC INS versions prior to V1.0 SP2 Update 6 contain a weak password hashing mechanism, allowing attackers to recover user credentials and gain unauthorized access.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SINEC INS versions prior to V1.0 SP2 Update 6 contain a weak password hashing mechanism, allowing attackers to recover user credentials and gain unauthorized access.

Vulnerability

A vulnerability exists in SINEC INS versions prior to V1.0 SP2 Update 6. The application uses a static, hardcoded salt for password hashing, shared across all users and installations, and employs an insufficient number of hashing iterations. This configuration makes the password storage susceptible to efficient brute-force and precomputed attacks.

Exploitation

An attacker with the ability to obtain the password hashes could leverage this vulnerability. By using brute-force techniques or precomputed rainbow tables against the static salt and low iteration count, an attacker can efficiently recover user passwords.

Impact

Successful exploitation allows an attacker to recover user passwords. This can lead to unauthorized access to the SINEC INS system, potentially compromising sensitive information or system control depending on the privileges of the compromised user accounts.

Mitigation

Siemens has released version V1.0 SP2 Update 6 for SINEC INS, which addresses this vulnerability. Users are advised to update to V1.0 SP2 Update 6 or a later version. Further details and download links can be found in the Siemens advisory [1].

References
  1. SSA-860189

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1