CVE-2026-46749
Analyzed Analyzed - Analysis Complete
Hardcoded Password Hashing Salt in SINEC INS

Publication date: 2026-06-09

Last updated on: 2026-06-12

Assigner: Siemens AG

Description
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all users and installations, and is configured with an insufficient number of iterations. This could allow an attacker to efficiently recover user passwords using brute-force or precomputed attacks, potentially resulting in unauthorized access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-12
Generated
2026-06-15
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-46749
EUVD
EUVD-2026-35386
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
siemens sinec_ins 1.0
siemens sinec_ins 1.0
siemens sinec_ins 1.0
siemens sinec_ins 1.0
siemens sinec_ins to 1.0 (inc)
siemens sinec_ins 1.0
siemens sinec_ins 1.0
siemens sinec_ins 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-760 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability exists in all versions of SINEC INS prior to V1.0 SP2 Update 6 due to a weak password hashing implementation.

To mitigate this vulnerability, you should update the SINEC INS application to version V1.0 SP2 Update 6 or later, where the issue is resolved.

Compliance Impact

The vulnerability in SINEC INS involves the use of a static, hardcoded salt and insufficient iteration count in password hashing, which can allow attackers to efficiently recover user passwords through brute-force or precomputed attacks. This potentially results in unauthorized access to user accounts.

Such unauthorized access can lead to exposure or compromise of sensitive personal or protected health information, which may violate common standards and regulations like GDPR and HIPAA that require strong protection of user credentials and personal data.

Therefore, this vulnerability could negatively impact compliance with these regulations by increasing the risk of data breaches and unauthorized data access.

Executive Summary

This vulnerability exists in SINEC INS versions prior to V1.0 SP2 Update 6. The application uses a password hashing method that employs a static, hardcoded salt shared by all users and installations, combined with an insufficient number of hashing iterations.

Because of this weak hashing configuration, an attacker can efficiently recover user passwords by using brute-force or precomputed attacks, potentially leading to unauthorized access.

Impact Analysis

The vulnerability can allow attackers to recover user passwords more easily than intended, which may result in unauthorized access to the system.

This unauthorized access could lead to compromise of sensitive information, disruption of services, or further exploitation within the affected environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46749. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart