PatchSiren cyber security CVE debrief
CVE-2026-46749 Siemens CVE debrief
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all users and installations, and is configured with an insufficient number of iterations. This could allow an attacker to efficiently recover user passwords using brute-force or precomputed attacks, potentially resulting in unauthorized access.
- Vendor
- Siemens
- Product
- SINEC INS
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-12
Who should care
Users of Siemens SINEC INS (All versions < V1.0 SP2 Update 6) should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the use of a static, hardcoded salt shared across all users and installations, and an insufficient number of iterations in the password hashing implementation. This allows an attacker to efficiently recover user passwords using brute-force or precomputed attacks.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to SINEC INS V1.0 SP2 Update 6 or later.
- Implement a secure password hashing algorithm with a sufficient number of iterations.
- Use a unique salt for each user.
Evidence notes
The vulnerability is described in the CVE-2026-46749 record and the Siemens Security Advisory SSA-860189.
Official resources
-
CVE-2026-46749 CVE record
CVE.org
-
CVE-2026-46749 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-46749 was published on 2026-06-09T10:16:44.410Z and modified on 2026-06-12T15:15:09.300Z.