ZDI 2026-04-23

ZDI-26-297: Siemens SINEC NMS Improper Authentication Privilege Escalation Vulnerability

CVE-2026-25654

Machine-generated analysis · WAYSCloud LLM

The vulnerability requires authentication but allows remote privilege escalation in Siemens SINEC NMS.

Context

Siemens SINEC NMS is affected by an improper authentication vulnerability. The issue is a privilege escalation that can be exploited remotely by an authenticated attacker. The advisory notes a CVSS score of 8.8, indicating high severity according to the scoring system. Worth noting that the vulnerability type suggests access controls are not properly enforced after initial authentication.

Operator considerations

Check: inventory Siemens SINEC NMS installations for exposure to untrusted networks.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to escalate privileges on affected installations of Siemens SINEC NMS. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2026-25654.

Read the full advisory on ZDI →