Description
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all users and installations, and is configured with an insufficient number of iterations. This could allow an attacker to efficiently recover user passwords using brute-force or precomputed attacks, potentially resulting in unauthorized access.
Published: 2026-06-09
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the use of a static, hard‑coded salt and a small number of hashing iterations in all versions of the Siemens SINEC INS application. This weak password‑hashing scheme allows an attacker to efficiently perform brute‑force or pre‑computed attacks to recover stored passwords. The primary impact is the potential compromise of user accounts, leading to unauthorized access to protected resources within the installation.

Affected Systems

Siemens SINEC INS users of all versions below V1.0 SP2 Update 6 are vulnerable. The affected versions include every release older than the stated update.

Risk and Exploitability

The CVSS score of 5.0 classifies this as a moderate severity weakness. The EPSS score is not available, so the exact probability of exploitation is unknown, but the lack of mitigation makes brute‑force attacks feasible. This vulnerability is not listed in the CISA KEV catalog, suggesting no widespread best‑practice exploitation is currently documented. Since the weakness lies in the authentication processing, the likely attack vector is through the application’s login interface, potentially from remote or local users with access to the authentication system.

Generated by OpenCVE AI on June 9, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Siemens to obtain and apply the latest software update that removes the static salt and increases the iteration count.
  • If an update is not immediately available, reset all user passwords and force the use of a stronger, user‑specific salt with an adequate iteration count such as PBKDF2 or Argon2.
  • Implement rate limiting or account lockout policies to deter brute‑force attempts and monitor authentication logs for suspicious activity.

Generated by OpenCVE AI on June 9, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Title Weak Password Hashing with Static Salt in Siemens SINEC INS
First Time appeared Siemens
Siemens sinec Ins
Vendors & Products Siemens
Siemens sinec Ins

Tue, 09 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all users and installations, and is configured with an insufficient number of iterations. This could allow an attacker to efficiently recover user passwords using brute-force or precomputed attacks, potentially resulting in unauthorized access.
Weaknesses CWE-760
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 5, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Siemens Sinec Ins
cve-icon MITRE

Status: PUBLISHED

Assigner: siemens

Published:

Updated: 2026-06-09T13:10:31.258Z

Reserved: 2026-05-18T09:37:25.766Z

Link: CVE-2026-46749

cve-icon Vulnrichment

Updated: 2026-06-09T13:10:26.712Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T10:16:44.410

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-46749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T11:30:03Z

Weaknesses