Siemens SINEC INS

Plan PatchCVSS 8.8ICS-CERT ICSA-26-174-04Jun 9, 2026

Siemens

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

SINEC INS before version 1.0 SP2 Update 6 contains multiple vulnerabilities including command injection (CWE-78) and improper privilege handling (CWE-250) that allow authenticated users to execute arbitrary commands with high privileges. These vulnerabilities affect the network management and configuration capabilities of industrial control systems.

What this means

What could happen

An authenticated attacker with engineering workstation access could execute arbitrary commands on SINEC INS with high privileges, potentially compromising network configuration, user management, or safety system monitoring across your industrial network.

Who's at risk

Utilities and industrial plants using SINEC INS for network management and configuration of Siemens industrial control systems, including water treatment facilities, power distribution networks, and manufacturing plants that rely on SINEC INS for device provisioning and monitoring.

How it could be exploited

An attacker with valid credentials to SINEC INS (a network configuration and management system) could exploit command injection or privilege escalation vulnerabilities to execute arbitrary operating system commands on the SINEC INS server. This could allow modification of network settings, user accounts, or monitoring parameters that affect connected industrial devices.

Prerequisites

Valid engineering workstation credentials for SINEC INS
Network access to SINEC INS management interface or API
SINEC INS version earlier than 1.0 SP2 Update 6

Requires valid credentialsLow complexity exploitationHigh impact (code execution with administrative privileges)Command injection and privilege escalation vulnerabilities

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

SINEC INS< 1.0.2.61.0 SP2 Update 6

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SINEC INS to version 1.0 SP2 Update 6 or later

CVEs (4)

CVE-2026-46746 CVE-2026-46747 CVE-2026-46748 CVE-2026-46749

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d5dfbe03-2032-456d-b4a4-5ff35081646b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.