CISA Warns of OS Command Injection and Privilege Escalation Flaws in Siemens SINEC INS
CISA disclosed four vulnerabilities in Siemens SINEC INS, including a critical OS command injection flaw allowing authenticated remote code execution on industrial systems.
CISA published an advisory on June 23, 2026, detailing multiple vulnerabilities in Siemens SINEC INS, a network infrastructure software used in critical manufacturing, energy, transportation, and healthcare sectors. The flaws—tracked as CVE-2026-46746, CVE-2026-46747, CVE-2026-46748, and CVE-2026-46749—affect all versions before V1.0 SP2 Update 6 and pose serious risks to operational technology environments.
The most severe vulnerability, CVE-2026-46746 (CVSS 8.8), is an OS command injection flaw in the /api/sftp/uploadFiles endpoint. The application fails to properly sanitize user input, allowing an authenticated remote attacker to inject shell commands via crafted directory names. These payloads are stored and executed when directory listings are retrieved, granting the attacker arbitrary command execution on the underlying operating system with the privileges of the sinecins service user.
A path traversal vulnerability, CVE-2026-46747 (CVSS 4.3), exists in the same GET /api/sftp/uploadFiles endpoint. By supplying crafted path input, an attacker can traverse directories to access unintended file system locations, potentially exposing sensitive configuration data. While its medium severity limits direct impact, it can be chained with other flaws.
Two additional high-severity flaws compound the risk. CVE-2026-46748 (CVSS 8.8) stems from an included binary configured with the cap_dac_override capability, which bypasses file system permission checks. A local attacker can escalate privileges to root, enabling arbitrary file modification and full system compromise. CVE-2026-46749 (CVSS 7.5) involves a password hashing implementation that uses a static, hardcoded salt shared across all users and installations, combined with an insufficient number of iterations. This allows an attacker to recover user passwords through brute-force or precomputed attacks, facilitating unauthorized access.
Siemens has released SINEC INS V1.0 SP2 Update 6 to address all four vulnerabilities. Users are strongly urged to update immediately. Siemens also recommends protecting network access to devices with firewalls and VPNs, isolating control system networks from business networks, and following Siemens' operational guidelines for Industrial Security. CISA notes that while no public exploits have been confirmed, the critical nature of the command injection flaw makes prompt patching essential.
These advisories highlight a persistent trend in industrial control system (ICS) security: legacy software assumptions about trust boundaries and password handling continue to expose critical infrastructure to significant risk. The layered vulnerabilities in SINEC INS underscore the need for defense-in-depth and rigorous patch management in OT environments.