Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (siemens) · only source for this CVE.
CVSS VectorVendor: siemens
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injection of shell command payloads via crafted directory names. These payloads are stored and executed when directory listings are retrieved. This could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the affected service user (sinecins).
AnalysisAI
Authenticated command injection in Siemens SINEC INS versions prior to V1.0 SP2 Update 6 allows remote attackers to execute arbitrary OS commands as the sinecins service account by submitting crafted directory names to the /api/sftp/uploadFiles endpoint. The injected payloads are stored and triggered later when directory listings are retrieved, producing a stored/second-order command injection. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects high impact across confidentiality, integrity, and availability of the underlying host.
Technical ContextAI
SINEC INS (Infrastructure Network Services) is Siemens' centralized management appliance providing services such as RADIUS, syslog, DHCP, SFTP, and certificate handling for industrial network infrastructure (CPE cpe:2.3:a:siemens:sinec_ins:*). The flaw is a classic CWE-78 OS Command Injection: the SFTP upload handler accepts a directory name parameter that is later interpolated into a shell command (most plausibly an ls/find/stat call during directory enumeration) without proper sanitization or use of parameterized execution. Because the payload is persisted and only executed when an admin or process subsequently lists directories, this is effectively stored command injection - a more dangerous variant than reflected injection because the trigger is decoupled from the initial request.
RemediationAI
Vendor-released patch: SINEC INS V1.0 SP2 Update 6 - upgrade all instances to this version or later per Siemens ProductCERT SSA-860189 (https://cert-portal.siemens.com/productcert/html/ssa-860189.html). Until the upgrade can be deployed, restrict network access to the SINEC INS management interface to a dedicated administration VLAN or jump host so that only trusted operators can reach /api/sftp/uploadFiles, and tighten role assignments so that low-privilege accounts with SFTP upload rights are minimized - the trade-off is operational friction for legitimate SFTP users and reduced self-service for field engineers. Additionally, audit existing SFTP directory names on deployed instances for suspicious shell metacharacters (backticks, $(), semicolons, pipes) before the patch runs and triggers any pre-planted payload, since this is a stored injection where malicious directory names may already be present.
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretK
When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer
json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_m
axios is vulnerable to Inefficient Regular Expression Complexity. Rated high severity (CVSS 7.5), this vulnerability is
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexe
In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Rated high severity (CVS
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated wit
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line T
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated critical severity (CVSS 9.8),
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35383
GHSA-vxxj-9x7w-4356