Authorization Bypass Vulnerability in SINEC NMS Before V4.0 SP3

Plan PatchCVSS 8.8SSA-605717Apr 14, 2026

Siemens

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

SINEC NMS before V4.0 SP3 contains an authorization bypass vulnerability in password reset functionality. An authenticated user can bypass authorization checks and reset arbitrary user account passwords, including administrative accounts. This could allow an attacker with standard user credentials to escalate privileges and gain full administrative control of the NMS system.

What this means

What could happen

An attacker with user-level credentials on the network could bypass authorization checks and reset any user account password, including administrator accounts, giving them full control of the NMS system. This could allow them to disable alarms, modify network monitoring, or lock out legitimate operators from the system.

Who's at risk

Network managers and operators at utilities using SINEC NMS for grid monitoring and control. Organizations with multi-site Siemens SCADA/ICS networks that rely on NMS for centralized visibility and alarm management. Any facility where NMS is used to monitor critical infrastructure devices.

How it could be exploited

An attacker with valid user credentials (non-admin) connects to SINEC NMS and exploits an authorization bypass flaw to call password reset functions without proper permission checks. The attacker can then reset any account password, including admin accounts, and use those credentials to gain administrative access to the entire NMS system.

Prerequisites

Valid user account credentials (standard user level, not admin)
Network access to SINEC NMS on default management ports
SINEC NMS version prior to 4.0 SP3 deployed and accessible

remotely exploitablelow authentication required (standard user credentials)low complexityaffects network visibility and control systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

SINEC NMSAll versions < V4.0 SP34.0 SP3

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to SINEC NMS to trusted administrator workstations and engineering networks only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SINEC NMS to version 4.0 SP3 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate NMS systems from general corporate network

CVEs (1)

CVE-2026-25654

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b383d938-7d00-47dd-a582-29edbcf50f0f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.