CVE-2026-46749 PUBLISHED

Assigner: siemens
Reserved: 18.05.2026 Published: 09.06.2026 Updated: 09.06.2026

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all users and installations, and is configured with an insufficient number of iterations. This could allow an attacker to efficiently recover user passwords using brute-force or precomputed attacks, potentially resulting in unauthorized access.

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 7.5

Attack Vector	Local	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H
CVSS Score: 5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	Low	Confidentiality	High
Attack Complexity	High	Integrity	None	Integrity	High
Attack Requirements	Present	Availability	None	Availability	High
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	Siemens
Product	SINEC INS
Versions	Default: unknown affected from 0 to V1.0 SP2 Update 6 (excl.)

References

https://cert-portal.siemens.com/productcert/html/ssa-860189.html

Problem Types

CWE-760: Use of a One-Way Hash with a Predictable Salt CWE