PatchSiren cyber security CVE debrief
CVE-2026-46747 Siemens CVE debrief
A path traversal vulnerability was identified in Siemens SINEC INS versions prior to V1.0 SP2 Update 6. The issue arises from improper sanitization of path input in the `GET /api/sftp/uploadFiles` endpoint used for directory listing. This allows an attacker to access unintended file system locations through crafted input.
- Vendor
- Siemens
- Product
- SINEC INS
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-12
Who should care
Administrators and users of Siemens SINEC INS versions prior to V1.0 SP2 Update 6 should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity. It allows an attacker with low privileges to access sensitive files and directories, potentially leading to unauthorized data access or modification.
Defensive priority
MEDIUM
Recommended defensive actions
- Update SINEC INS to version V1.0 SP2 Update 6 or later.
- Implement proper input validation and sanitization for path inputs.
- Restrict access to sensitive file system locations.
- Monitor system logs for suspicious activity.
Evidence notes
The vulnerability was reported by Siemens and is publicly disclosed through CVE-2026-46747.
Official resources
-
CVE-2026-46747 CVE record
CVE.org
-
CVE-2026-46747 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-46747 was published on 2026-06-09T10:16:44.130Z and modified on 2026-06-12T15:28:46.490Z.