ZDI 2026-04-23

ZDI-26-298: Siemens SINEC NMS Authentication Bypass Vulnerability

CVE-2026-24032

Machine-generated analysis · WAYSCloud LLM

The advisory notes that authentication is not required to exploit this vulnerability, indicating a full bypass of login requirements.

Context

The affected product is Siemens SINEC NMS, a network management system. The vulnerability is an authentication bypass that can be exploited remotely. The advisory explicitly states that no authentication is needed to exploit the issue. Worth noting is that the CVSS score is rated 7.3, reflecting the remote attack vector and lack of required privileges.

Operator considerations

Check: Identify instances of Siemens SINEC NMS in use where remote access is permitted.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to bypass authentication on affected installations of Siemens SINEC NMS. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2026-24032.

Read the full advisory on ZDI →