CISA flags Siemens SINEC INS flaws fixed in Update 6

CISA’s advisory is straightforward: Siemens SINEC INS before V1.0 SP2 Update 6 has four disclosed vulnerabilities, and Siemens’ remediation is to update to V1.0 SP2 Update 6 or later. The two serious items are CVE-2026-46746, an authenticated remote OS command-injection flaw in /api/sftp/uploadFiles, and CVE-2026-46748, a privilege-escalation flaw tied to a binary configured with cap_dac_override that could let a local attacker gain root privileges.

The affected deployments sit in the usual awkward place for industrial software: critical manufacturing, transportation systems, energy, healthcare and public health, financial services, and government services and facilities. CISA also repeats its standard control-system guidance: reduce exposure, keep control-system networks away from the internet, isolate them from business networks, and use updated VPNs when remote access is required.

What the advisory does not solve is the Monday problem for operators with restricted-update or segmented OT environments. There is a vendor fix, but no specific interim mitigation for systems that cannot move immediately to Update 6. That leaves asset owners doing the familiar triage: identify exposed SINEC INS instances, check whether authenticated SFTP-related access is reachable, prioritize the update where service-user command execution or root escalation would matter most, and document any delay as an operational risk rather than a paperwork exception.