Volerion logoVolerion
Volerion logoVolerion

Siemens SINEC INS Command Injection Vulnerability in SFTP File Upload API

Vulnerability

A command injection vulnerability has been identified in Siemens SINEC INS versions prior to V1.0 SP2 Update 6. The issue arises in the SFTP file upload API endpoint, where user input is not properly sanitized. This lack of input validation allows authenticated remote attackers to inject shell command payloads through manipulated directory names. These injected commands are stored and executed when directory listings are accessed, potentially leading to arbitrary command execution on the underlying operating system with the privileges of the affected service user.

Impact

Exploitation of this vulnerability could allow authenticated remote attackers to execute arbitrary commands on the operating system, using the privileges of the 'sinecins' service user.

Remediation

Users are advised to update to Siemens SINEC INS version V1.0 SP2 Update 6 or later. For more information, visit the Siemens Industry Support page.

Added: Jun 9, 2026, 10:30 AM
Updated: Jun 9, 2026, 10:30 AM

Vulnerability Rating

Custom Algorithm
spread
1.4
impact
7.5
exploitability
4.9
remediation
7.7
relevance
9.4
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.