Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (siemens) · only source for this CVE.
CVSS VectorVendor: siemens
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application does not properly sanitize path input in the GET /api/sftp/uploadFiles endpoint used for directory listing. This allows path traversal through crafted input, enabling access to unintended file system locations.
AnalysisAI
Path traversal in Siemens SINEC INS versions prior to V1.0 SP2 Update 6 exposes arbitrary file system locations via the SFTP directory listing endpoint. An authenticated low-privileged network attacker can send a crafted path to GET /api/sftp/uploadFiles to read files outside the intended directory scope, resulting in unauthorized disclosure of file system contents. No active exploitation or public proof-of-concept has been identified at time of analysis; the impact is limited to confidentiality with no integrity or availability consequence.
Technical ContextAI
SINEC INS is Siemens' Industrial Network Server software used in OT/ICS environments for network management tasks including SFTP file operations. The affected endpoint GET /api/sftp/uploadFiles performs directory listing but fails to sanitize user-supplied path input against traversal sequences. CWE-26 ('Path Traversal: ../filedir') identifies the root cause as improper neutralization of relative path components such as '../', allowing callers to escape the intended working directory and reference arbitrary file system paths. The CPE cpe:2.3:a:siemens:sinec_ins covers all versions of the application up to the fixed release. Because the vulnerability resides in an API endpoint, it is accessible over the network without requiring physical or local access.
RemediationAI
The primary fix is to upgrade SINEC INS to V1.0 SP2 Update 6 or later, as documented in Siemens PSIRT advisory SSA-860189 at https://cert-portal.siemens.com/productcert/html/ssa-860189.html. If immediate patching is not feasible, restrict access to the SINEC INS management API to trusted, authenticated users and network segments using firewall rules or network ACLs, reducing the pool of principals who can reach the GET /api/sftp/uploadFiles endpoint. Audit existing low-privilege account assignments and revoke credentials for accounts that do not require SFTP management access, since PR:L means any authenticated session can trigger the traversal. Additionally, review file system permissions on the host running SINEC INS so that the application process account has the minimum required read access, limiting the blast radius of any traversal to a restricted directory tree. These compensating controls do not eliminate the vulnerability and patching remains the definitive remediation.
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretK
When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer
json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_m
axios is vulnerable to Inefficient Regular Expression Complexity. Rated high severity (CVSS 7.5), this vulnerability is
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexe
In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Rated high severity (CVS
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated wit
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line T
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Rated critical severity (CVSS 9.8),
Same weakness CWE-26 – Path Traversal: '/dir/../filename'
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35384
GHSA-wxmp-hwgx-g5h8