Description
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injection of shell command payloads via crafted directory names. These payloads are stored and executed when directory listings are retrieved. This could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the affected service user (sinecins).
Published: 2026-06-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a classic command injection on the /api/sftp/uploadFiles endpoint; crafted directory names are stored without proper sanitization and later executed when directory listings are retrieved, allowing a privileged attacker to run any shell command as the sinecins service user. This is a high‑impact vulnerability rated CWE‑78, capable of compromising confidentiality, integrity, and availability of the system.

Affected Systems

Siemens SINEC INS software versions earlier than V1.0 SP2 Update 6 are affected. The vulnerability is present in all builds prior to that update.

Risk and Exploitability

With a CVSS score of 8.7 the risk is high; the EPSS score is not available, and the vulnerability is not listed in CISA KEV. An attacker who can authenticate to the SINEC INS API can craft a directory name that contains a shell command, which the server will execute during directory list retrieval, giving the attacker arbitrary command execution with the privileges of the sinecins service account.

Generated by OpenCVE AI on June 9, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Siemens SINEC INS to version V1.0 SP2 Update 6 or later, which contains the input sanitization fix for the upload endpoint.
  • Restrict access to the /api/sftp/uploadFiles endpoint so that only trusted, authenticated users can create directories.
  • Disable any automatic execution of directory listings pending the issuance of a patched release, to prevent the stored payloads from being run.

Generated by OpenCVE AI on June 9, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Siemens
Siemens sinec Ins
Vendors & Products Siemens
Siemens sinec Ins

Tue, 09 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injection of shell command payloads via crafted directory names. These payloads are stored and executed when directory listings are retrieved. This could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the affected service user (sinecins).
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Siemens Sinec Ins
cve-icon MITRE

Status: PUBLISHED

Assigner: siemens

Published:

Updated: 2026-06-09T15:12:58.585Z

Reserved: 2026-05-18T09:37:25.766Z

Link: CVE-2026-46746

cve-icon Vulnrichment

Updated: 2026-06-09T15:12:08.242Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T10:16:44.000

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-46746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T11:30:03Z

Weaknesses