Invalid Input Validation in SINEC INS Leads to Arbitrary Code Execution
CVE-2024-46890

9.1CRITICAL

Key Information:

Vendor: Siemens
Status: Sinec Ins
Vendor: CVE Published:; 12 November 2024

Summary

A significant vulnerability in SINEC INS, specifically in all versions prior to V1.0 SP2 Update 3, arises from inadequate validation of user input targeting specific endpoints of its web API. This flaw enables an authenticated remote attacker with elevated privileges to potentially execute arbitrary code on the affected operating system. The lack of proper input validation increases the risk of exploitation, thereby highlighting the need for prompt updates and enhanced security measures.

Affected Version(s)

SINEC INS 0

References

https://cert-portal.siemens.com/productcert/html/ssa-9152...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 12, 2024
Vulnerability Reserved
Sep 12, 2024