Description
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3 with UMC). The affected application contains an authentication weakness due to insufficient validation of user identity in the UMC component.
This could allow an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the application. (ZDI-CAN-27564)
Published: 2026-04-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an insufficient validation of user identity in the Universal Management Controller (UMC) component of SINEC NMS, allowing an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the application. This flaw could expose sensitive configuration data and enable further compromise if an attacker is granted access.

Affected Systems

Siemens SINEC Network Management System is affected. All versions older than 4.0 Service Pack 3 that include the UMC component are vulnerable. Users should verify whether their installation matches these criteria.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate-to-high severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker only needs network access to the UMC interface, with no prior credentials required. The simplicity of the bypass makes exploitation relatively straightforward, raising the overall risk for exposed systems.

Generated by OpenCVE AI on April 14, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Siemens update that addresses the authentication weakness and upgrade to version 4.0 Service Pack 3 or later.
  • If an update is not immediately available, block external network access to the UMC component until the patch can be applied.
  • After patching, perform a security scan or verification test to confirm the vulnerability is remediated.
  • Continuously monitor authentication logs for suspicious or repeated access attempts to detect potential exploitation.

Generated by OpenCVE AI on April 14, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Access via Authentication Bypass in Siemens SINEC NMS UMC Component

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Siemens
Siemens sinec-nms
Vendors & Products Siemens
Siemens sinec-nms

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3 with UMC). The affected application contains an authentication weakness due to insufficient validation of user identity in the UMC component. This could allow an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the application. (ZDI-CAN-27564)
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Siemens Sinec-nms
cve-icon MITRE

Status: PUBLISHED

Assigner: siemens

Published:

Updated: 2026-04-14T13:18:01.056Z

Reserved: 2026-01-20T15:47:59.075Z

Link: CVE-2026-24032

cve-icon Vulnrichment

Updated: 2026-04-14T13:17:57.061Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T09:16:34.900

Modified: 2026-04-17T15:18:16.507

Link: CVE-2026-24032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:40Z

Weaknesses