As part of our security research, we identified an attack chain in Siemens SINEC INS that could be used to An authenticated web user can gain full root privileges on the underlying Linux system. In total, we identified four vulnerabilities. Two of them can be combined to form the attack chain described below.
SINEC INS provides core network services such as DHCP, DNS, NTP, RADIUS, and SFTP for industrial networks. An attacker with root privileges can thus control the core services of an entire network segment; the potential for damage is correspondingly high in an OT environment. Man-in-the-middle attacks can be carried out using manipulated DNS and DHCP responses; authentication can be bypassed via RADIUS; and time-dependent processes can be disrupted via NTP. Siemens has addressed these vulnerabilities with V1.0 SP2 Update 6. Operators using an older version should install the update as soon as possible.
Discovered Vulnerabilities
Step 1 – Command Injection via the SFTP Endpoint (CVE-2026-46746)
SINEC INS provides an SFTP module in the web interface that can be used to create and manage directories. The PATCH endpoint /api/sftp/uploadFiles does not sufficiently validate the directory names passed to it. If an attacker creates a directory whose name contains a command substitution such as $(id), this name is stored unchanged in the file system. The order is critical here. The command is not executed when the directory is created but is first persisted as a directory name. Only when the directory is listed via GET /api/sftp/uploadFiles does the shell evaluate the command substitution. This constitutes a stored command injection, which leads to command execution on the Linux system in the context of the service user `sinecins`. The only prerequisite is a web UI account whose role includes permissions for the SFTP module (specifically, ` sftpRights ` Level 2). However, such an account remains unprivileged; sinecins does not have root privileges at this point. Therefore, the second step in the chain is required to gain full control of the system.
Step 2 – Privilege Escalation via Linux Capability (CVE-2026-46748)
The foothold as ” sinecins ” initially provides only the rights of an unprivileged service user. The actual privilege escalation is enabled by a configuration at the file system level: The binary ` /opt/sinecins/bin/sinecINSsftp ` is assigned the Linux capability ` cap_dac_override `, a case of Execution with Unnecessary Privileges (CWE-250). Under Linux, Discretionary Access Control (DAC) determines which users are allowed to read, write, or execute which files. The cap_dac_override capability bypasses these checks. A process possessing this capability may read and write any file, regardless of the set permissions. The core of the misconfiguration lies in the fact that this privileged binary can be started by the unprivileged service user `sinecins ` with a freely selectable configuration. ` sinecINSsftp ` is an FTP server that accepts any configuration file via a command-line parameter. If an attacker starts the server with a custom configuration, the process is granted the capability upon startup. This allows the attacker to read and overwrite any system files using standard FTP operations. From there, it is a short path to root. The FTP server can be used to create a cron job that runs as root and opens a reverse shell for the attacker. It is also possible to exploit /etc/passwd: The attacker reads the file, adds a backdoor account with UID 0, and writes it back. Logging in with this account then immediately grants a root shell.
The Big Picture
Taken in isolation, the individual vulnerabilities do not appear particularly critical: a stored command injection that initially affects only a service account, and a capability that can be exploited only locally. Together, however, they form a continuous attack chain from the authenticated web user all the way to root on a system that occupies a central position in the network.
Additional Findings
In addition to the attack chain described above, two further vulnerabilities were identified. A path traversal in the SFTP module’s directory listing (CVE-2026-46747) allows directories outside the intended path to be listed. In addition, the application’s password hashing uses a static, hard-coded salt and an insufficient number of iterations (CVE-2026-46749), making password hashes significantly easier to attack. Both issues have also been fixed in Update 6.
Conclusion
Vendor Contact Timeline
| Date | Event |
|---|---|
| 2026-01-30 | The identified vulnerabilities in Siemens SINEC INS were reported to Siemens ProductCERT as part of a responsible disclosure. |
| 2026-02-02 – 2026-05-18 | Siemens analyzed the reported vulnerabilities, validated the findings, and developed the corresponding patches. |
| 2026-05-18 | Siemens ProductCERT informed us about the planned publication of a security advisory. |
| 2026-06-09 | Siemens published the security advisory SSA-860189 – Multiple Vulnerabilities in SINEC INS Before V1.0 SP2 Update 6 and released the corresponding security updates. [1] |
| 2026-06-23 | The vulnerabilities were additionally published by CISA in the alert ICSA-26-174-04. [2] |



