Skip to main content

SINEC INS CVE-2026-46749

| EUVDEUVD-2026-35386 MEDIUM
Use of a One-Way Hash with a Predictable Salt (CWE-760)
2026-06-09 siemens GHSA-c5mx-3x5g-xmjx
4.9
CVSS 4.0 · Vendor: siemens
Share

Severity by source

Vendor (siemens) PRIMARY
4.9 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (siemens) · only source for this CVE.

CVSS VectorVendor: siemens

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 10:38 vuln.today
Severity Changed
Jun 09, 2026 - 10:22 NVD
HIGH MEDIUM
CVSS changed
Jun 09, 2026 - 10:22 NVD
7.5 (HIGH) 4.9 (MEDIUM)

DescriptionCVE.org

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all users and installations, and is configured with an insufficient number of iterations. This could allow an attacker to efficiently recover user passwords using brute-force or precomputed attacks, potentially resulting in unauthorized access.

AnalysisAI

Weak password hashing in Siemens SINEC INS (all versions prior to V1.0 SP2 Update 6) exposes stored credentials to efficient offline recovery due to a static, hardcoded salt shared universally across all users and installations, combined with an insufficient iteration count. An attacker who has obtained high-privileged local access and can extract the password store can leverage the known static salt to construct targeted rainbow tables or run accelerated brute-force attacks, potentially recovering plaintext passwords and achieving unauthorized access to the application and downstream industrial network infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, but the cryptographic weakness is deterministic - once hashes are obtained, the static salt eliminates per-user uniqueness and dramatically reduces attack cost.

Technical ContextAI

SINEC INS (Infrastructure Network Services) is a Siemens industrial network management platform used in OT/ICS environments. The vulnerability is classified under CWE-760 (Use of a One-Way Hash with a Predictable Salt), which describes the failure mode where a cryptographic hash function is applied to passwords using a salt value that is either static, hardcoded, or shared - negating the primary security benefit of salting. The affected CPE string (cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*) covers all versions of the application prior to V1.0 SP2 Update 6. Because every installation uses the same salt, an attacker who extracts hashes from any deployment can precompute a single rainbow table applicable to all deployments globally. The insufficient iteration count compounds the weakness by allowing faster per-guess processing on commodity hardware or GPUs. Together, these flaws reduce a hash-based credential store to something functionally similar to an unsalted MD5 database in terms of offline attack resistance.

RemediationAI

Vendor-released patch: V1.0 SP2 Update 6. Organizations running SINEC INS should upgrade to V1.0 SP2 Update 6 or later as the primary remediation, following guidance in Siemens ProductCERT advisory SSA-860189 at https://cert-portal.siemens.com/productcert/html/ssa-860189.html. If immediate patching is not feasible, organizations should treat all existing stored credentials in SINEC INS as potentially compromised and force password resets for all users, selecting long, high-entropy passwords to increase offline brute-force cost despite the weak hashing. As a compensating control, restrict access to the SINEC INS application and its underlying data store to only explicitly authorized, least-privilege accounts; this directly addresses the AV:L/PR:H prerequisite for exploitation. Network segmentation should be enforced to limit the blast radius if credentials are recovered and used for lateral movement into connected industrial systems. Note that password resets alone do not fix the underlying cryptographic weakness - they only raise the per-password attack cost transiently.

CVE-2022-35255 CRITICAL POC
9.1 Dec 05

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretK

CVE-2021-22945 CRITICAL POC
9.1 Sep 23

When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer

CVE-2020-12762 HIGH POC
7.8 May 09

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_m

CVE-2021-3749 HIGH POC
7.5 Aug 31

axios is vulnerable to Inefficient Regular Expression Complexity. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2020-7793 HIGH POC
7.5 Dec 11

The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexe

CVE-2021-25217 HIGH POC
7.4 May 26

In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x

CVE-2021-23337 HIGH POC
7.2 Feb 15

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Rated high severity (CVS

CVE-2022-35256 MEDIUM POC
6.5 Dec 05

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated wit

CVE-2022-32215 MEDIUM POC
6.5 Jul 14

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line T

CVE-2022-32213 MEDIUM POC
6.5 Jul 14

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate

CVE-2020-28168 MEDIUM POC
5.9 Nov 06

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass

CVE-2023-48427 CRITICAL
9.8 Dec 12

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated critical severity (CVSS 9.8),

Share

CVE-2026-46749 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy