How is CVE-2026-46746 exploited?

Network reachability (required): The attacker must reach the SINEC INS application over the network to send a crafted request to the /api/sftp/uploadFiles endpoint. Authentication (required): The attacker must hold a valid account on the application, though any low-privilege account is sufficient. Victim interaction (not-required): No victim action is needed; the injected payload executes automatically when the application retrieves a directory listing. Attack complexity (info): The exploit is reliable and condition-free: no race conditions, special memory layout, or other environmental factors must be satisfied.

What is the impact of CVE-2026-46746?

Executes arbitrary shell commands on the underlying operating system as the sinecins service user, giving the attacker a foothold on the host. Reads sensitive files and data accessible to the sinecins service account, including configuration files, credentials, and stored SFTP content. Modifies or deletes files and configuration data on the host within the service account's permission scope. Disrupts the SINEC INS service and any dependent network management functions by terminating processes or corrupting runtime state.

Back to search

HIGHCVE-2026-46746Published 2026-06-09Modified 2026-06-09CNA siemens

CVE-2026-46746: A vulnerability has been identified in SINEC INS (All versions < V1

Q: What is CVE-2026-46746?

A stored command injection vulnerability affects Siemens SINEC INS, a network services application, in all versions before V1.0 SP2 Update 6. An attacker who holds a valid (low-privilege) account can reach the /api/sftp/uploadFiles endpoint over the network, upload a crafted directory name that embeds shell commands, and trigger execution when the application later retrieves a directory listing. Successful exploitation gives the attacker arbitrary operating system command execution with the privileges of the sinecins service account. A patched-image rebuild at V1.0 SP2 Update 6 is available on HarborGuard for affected environments.

Q: How is CVE-2026-46746 fixed?

A patched-image rebuild at V1.0 SP2 Update 6 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a PR against affected workloads automatically.

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injection of shell command payloads via crafted directory names. These payloads are stored and executed when directory listings are retrieved. This could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the affected service user (sinecins).

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: V1.0 SP2 Update 6
Affected Products: 1

HarborGuard Analysis

Synopsis

A stored command injection vulnerability affects Siemens SINEC INS, a network services application, in all versions before V1.0 SP2 Update 6. An attacker who holds a valid (low-privilege) account can reach the /api/sftp/uploadFiles endpoint over the network, upload a crafted directory name that embeds shell commands, and trigger execution when the application later retrieves a directory listing. Successful exploitation gives the attacker arbitrary operating system command execution with the privileges of the sinecins service account. A patched-image rebuild at V1.0 SP2 Update 6 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-46746 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle SINEC INS.

Available

Triage

Triage is available with a CVSS v4.0 score of 8.7 (HIGH), surfaced alongside per-environment compliance policy weighting so that teams operating industrial network infrastructure receive appropriately elevated priority; findings are routed to the designated inbox for each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at V1.0 SP2 Update 6 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SINEC INS application over the network to send a crafted request to the /api/sftp/uploadFiles endpoint.
AuthenticationRequired
The attacker must hold a valid account on the application, though any low-privilege account is sufficient.
Victim interactionNot required
No victim action is needed; the injected payload executes automatically when the application retrieves a directory listing.
Attack complexityDetail
The exploit is reliable and condition-free: no race conditions, special memory layout, or other environmental factors must be satisfied.

Blast Radius

Executes arbitrary shell commands on the underlying operating system as the sinecins service user, giving the attacker a foothold on the host.
Reads sensitive files and data accessible to the sinecins service account, including configuration files, credentials, and stored SFTP content.
Modifies or deletes files and configuration data on the host within the service account's permission scope.
Disrupts the SINEC INS service and any dependent network management functions by terminating processes or corrupting runtime state.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image running a SINEC INS version below V1.0 SP2 Update 6, including custom-built images. The fix version V1.0 SP2 Update 6 is the basis for a patched-image rebuild that becomes available as soon as upstream metadata is confirmed. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the fix version, runs a regression test suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuild is staged and a review request is routed to the configured owner. All environments continue to receive re-scan results on each ingest cycle until the patched version is confirmed deployed.

See how HarborGuard automates this

Fix available

V1.0 SP2 Update 6

Affected packages

Siemens / SINEC INS
< V1.0 SP2 Update 6 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

cert-portal.siemens.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available