Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (siemens) · only source for this CVE.
CVSS VectorVendor: siemens
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all users and installations, and is configured with an insufficient number of iterations. This could allow an attacker to efficiently recover user passwords using brute-force or precomputed attacks, potentially resulting in unauthorized access.
AnalysisAI
Weak password hashing in Siemens SINEC INS (all versions prior to V1.0 SP2 Update 6) exposes stored credentials to efficient offline recovery due to a static, hardcoded salt shared universally across all users and installations, combined with an insufficient iteration count. An attacker who has obtained high-privileged local access and can extract the password store can leverage the known static salt to construct targeted rainbow tables or run accelerated brute-force attacks, potentially recovering plaintext passwords and achieving unauthorized access to the application and downstream industrial network infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, but the cryptographic weakness is deterministic - once hashes are obtained, the static salt eliminates per-user uniqueness and dramatically reduces attack cost.
Technical ContextAI
SINEC INS (Infrastructure Network Services) is a Siemens industrial network management platform used in OT/ICS environments. The vulnerability is classified under CWE-760 (Use of a One-Way Hash with a Predictable Salt), which describes the failure mode where a cryptographic hash function is applied to passwords using a salt value that is either static, hardcoded, or shared - negating the primary security benefit of salting. The affected CPE string (cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*) covers all versions of the application prior to V1.0 SP2 Update 6. Because every installation uses the same salt, an attacker who extracts hashes from any deployment can precompute a single rainbow table applicable to all deployments globally. The insufficient iteration count compounds the weakness by allowing faster per-guess processing on commodity hardware or GPUs. Together, these flaws reduce a hash-based credential store to something functionally similar to an unsalted MD5 database in terms of offline attack resistance.
RemediationAI
Vendor-released patch: V1.0 SP2 Update 6. Organizations running SINEC INS should upgrade to V1.0 SP2 Update 6 or later as the primary remediation, following guidance in Siemens ProductCERT advisory SSA-860189 at https://cert-portal.siemens.com/productcert/html/ssa-860189.html. If immediate patching is not feasible, organizations should treat all existing stored credentials in SINEC INS as potentially compromised and force password resets for all users, selecting long, high-entropy passwords to increase offline brute-force cost despite the weak hashing. As a compensating control, restrict access to the SINEC INS application and its underlying data store to only explicitly authorized, least-privilege accounts; this directly addresses the AV:L/PR:H prerequisite for exploitation. Network segmentation should be enforced to limit the blast radius if credentials are recovered and used for lateral movement into connected industrial systems. Note that password resets alone do not fix the underlying cryptographic weakness - they only raise the per-password attack cost transiently.
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretK
When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer
json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_m
axios is vulnerable to Inefficient Regular Expression Complexity. Rated high severity (CVSS 7.5), this vulnerability is
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexe
In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Rated high severity (CVS
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated wit
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line T
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated critical severity (CVSS 9.8),
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35386
GHSA-c5mx-3x5g-xmjx