Siemens Sinec Nms

SINEC NMS UMC <V2.15.2.1 Config Mod Allow DLL Exec (SYSTEM)
CVE-2026-25656 7.8 - High - February 10, 2026

A vulnerability has been identified in SINEC NMS (All versions), User Management Component (UMC) (All versions < V2.15.2.1). The affected application permits improper modification of a configuration file by a low-privileged user. This could allow an attacker to load malicious DLLs, potentially leading to arbitrary code execution with SYSTEM privileges.(ZDI-CAN-28108)

DLL preloading

SINEC NMS < V4.0 SP2: Config File Alteration Allows DLL-Aided Code Exec
CVE-2026-25655 7.8 - High - February 10, 2026

A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP2). The affected application permits improper modification of a configuration file by a low-privileged user. This could allow an attacker to load malicious DLLs, potentially leading to arbitrary code execution with administrative privilege.(ZDI-CAN-28107)

DLL preloading

SINEC NMS <4.0 SP1 SQLi in getTotalAndFilterCounts Endpoint
CVE-2025-40755 8.8 - High - October 14, 2025

A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP1). Affected applications are vulnerable to SQL injection through getTotalAndFilterCounts endpoint. An authenticated low privileged attacker could exploit to insert data and achieve privilege escalation. (ZDI-CAN-26570)

SQL Injection

DLL Hijacking in Windows Setup Component Enables RCE
CVE-2025-30033 7.8 - High - August 12, 2025

The affected setup component is vulnerable to DLL hijacking. This could allow an attacker to execute arbitrary code when a legitimate user installs an application that uses the affected setup component.

DLL preloading

Heap-based Buffer Overflow in UMC Enables Remote Code Exec (CVE-2024-49775)
CVE-2024-49775 9.8 - Critical - December 16, 2024

A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2501.0001), Opcenter Intelligence (All versions < V2501.0001), Opcenter Quality (All versions < V2512), Opcenter RDnL (All versions < V2410), SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SINEC NMS (All versions if operated in conjunction with UMC < V2.15), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions). Affected products contain a heap-based buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to execute arbitrary code.

Heap-based Buffer Overflow

SINEC NMS Database Function Arbitrary File Write Vulnerability
CVE-2024-47808 6.5 - Medium - November 12, 2024

A vulnerability has been identified in SINEC NMS (All versions < V3.0 SP1). The affected application contains a database function, that does not properly restrict the permissions of users to write to the filesystem of the host system. This could allow an authenticated medium-privileged attacker to write arbitrary content to any location in the filesystem of the host system.

Incorrect Permission Assignment for Critical Resource

Siemens Opcenter/PCS neo/TIA Portal Heap Overflow in UMC (CVE-2024-33698)
CVE-2024-33698 9.8 - Critical - September 10, 2024

A vulnerability has been identified in Opcenter Quality (All versions < V2406), Opcenter RDnL (All versions < V2410), SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions < V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SINEC NMS (All versions), SINEMA Remote Connect Client (All versions < V3.2 SP3), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 8), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 5), Totally Integrated Automation Portal (TIA Portal) V19 (All versions < V19 Update 3). Affected products contain a heap-based buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to execute arbitrary code.

Heap-based Buffer Overflow

SINEC NMS <V3.0 LPE via NT AUTHORITY\SYSTEM
CVE-2024-36398 7.8 - High - August 13, 2024

A vulnerability has been identified in SINEC NMS (All versions < V3.0). The affected application executes a subset of its services as `NT AUTHORITY\SYSTEM`. This could allow a local attacker to execute operating system commands with elevated privileges.

Execution with Unnecessary Privileges

SINEC NMS <3.0 PT Auth Deleting Cert Files
CVE-2024-41938 3.8 - Low - August 13, 2024

A vulnerability has been identified in SINEC NMS (All versions < V3.0). The importCertificate function of the SINEC NMS Control web application contains a path traversal vulnerability. This could allow an authenticated attacker it to delete arbitrary certificate files on the drive SINEC NMS is installed on.

Directory traversal

SINEC NMS v<3.0: Auth Checks Bypass Privilege Escalation
CVE-2024-41939 8.8 - High - August 13, 2024

A vulnerability has been identified in SINEC NMS (All versions < V3.0). The affected application does not properly enforce authorization checks. This could allow an authenticated attacker to bypass the checks and elevate their privileges on the application.

AuthZ

Auth Escalation via Command Injection in SINEC NMS pre-3.0
CVE-2024-41940 9.1 - Critical - August 13, 2024

A vulnerability has been identified in SINEC NMS (All versions < V3.0). The affected application does not properly validate user input to a privileged command queue. This could allow an authenticated attacker to execute OS commands with elevated privileges.

SINEC NMS <3.0 Auth Bypass: Mod Settings Without Auth
CVE-2024-41941 4.3 - Medium - August 13, 2024

A vulnerability has been identified in SINEC NMS (All versions < V3.0). The affected application does not properly enforce authorization checks. This could allow an authenticated attacker to bypass the checks and modify settings in the application without authorization.

AuthZ

SQLi in SINEC NMS < V2.0 SP1 Unauth Remote
CVE-2024-23810 9.8 - Critical - February 13, 2024

A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application is vulnerable to SQL injection. This could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database.

SQL Injection

SINEC NMS < V2.0 SP1: Arbitrary File Upload via TFTP RCE
CVE-2024-23811 8.8 - High - February 13, 2024

A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application allows users to upload arbitrary files via TFTP. This could allow an attacker to upload malicious firmware images or other files, that could potentially lead to remote code execution.

Unrestricted File Upload

Command Injection in SINEC NMS <V2.0 SP1 (Report Generation)
CVE-2024-23812 8.8 - High - February 13, 2024

A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application incorrectly neutralizes special elements when creating a report which could lead to command injection.

Shell injection

SINEC NMS <2.0 Auth Priv Escalation via Folder Permission Misconfig
CVE-2022-30527 7.8 - High - October 10, 2023

A vulnerability has been identified in SINEC NMS (All versions < V2.0). The affected application assigns improper access rights to specific folders containing executable files and libraries. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges.

Incorrect Permission Assignment for Critical Resource

SINEC NMS V<2.0 XSS via SNMP Config Data
CVE-2023-44315 5.4 - Medium - October 10, 2023

A vulnerability has been identified in SINEC NMS (All versions < V2.0). The affected application improperly sanitizes certain SNMP configuration data retrieved from monitored devices. An attacker with access to a monitored device could prepare a stored cross-site scripting (XSS) attack that may lead to unintentional modification of application data by legitimate users.

XSS

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration
CVE-2021-42550 6.6 - Medium - December 16, 2021

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Marshaling, Unmarshaling

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33730 7.2 - High - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

SQL Injection

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33723 6.5 - Medium - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). An authenticated attacker could change the user profile of any user without proper authorization. With this, the attacker could change the password of any user in the affected system.

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33722 4.9 - Medium - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system has a Path Traversal vulnerability when exporting a firmware container. With this a privileged authenticated attacker could create arbitrary files on an affected system.

Directory traversal

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33724 9.1 - Critical - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system contains an Arbitrary File Deletion vulnerability that possibly allows to delete an arbitrary file or directory under a user controlled path.

Directory traversal

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33733 7.2 - High - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

SQL Injection

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33732 7.2 - High - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

SQL Injection

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33734 7.2 - High - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

SQL Injection

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33735 7.2 - High - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

SQL Injection

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33736 7.2 - High - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

SQL Injection

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33725 9.1 - Critical - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system allows to delete arbitrary files or directories under a user controlled path and does not correctly check if the relative path is still within the intended target directory.

Directory traversal

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33726 7.5 - High - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system allows to download arbitrary files under a user controlled path and does not correctly check if the relative path is still within the intended target directory.

Directory traversal

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33727 6.5 - Medium - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). An authenticated attacker could download the user profile of any user. With this, the attacker could leak confidential information of any user in the affected system.

Information Disclosure

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33728 7.2 - High - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system allows to upload JSON objects that are deserialized to JAVA objects. Due to insecure deserialization of user-supplied content by the affected software, a privileged attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary code on the device with root privileges.

Marshaling, Unmarshaling

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33729 8.8 - High - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). An authenticated attacker that is able to import firmware containers to an affected system could execute arbitrary commands in the local database.

SQL Injection

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1)
CVE-2021-33731 7.2 - High - October 12, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.

SQL Injection

Malformed requests may cause the server to dereference a NULL pointer
CVE-2021-34798 7.5 - High - September 16, 2021

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

NULL Pointer Dereference

ap_escape_quotes() may write beyond the end of a buffer when given malicious input
CVE-2021-39275 9.8 - Critical - September 16, 2021

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

Memory Corruption

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user
CVE-2021-40438 9 - Critical - September 16, 2021

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

SSRF

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client
CVE-2021-3449 5.9 - Medium - March 25, 2021

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

NULL Pointer Dereference

A vulnerability has been identified in SIMATIC Automation Tool (All versions < V4 SP2)
CVE-2020-7580 - June 10, 2020

A vulnerability has been identified in SIMATIC Automation Tool (All versions < V4 SP2), SIMATIC NET PC Software V14 (All versions < V14 SP1 Update 14), SIMATIC NET PC Software V15 (All versions), SIMATIC NET PC Software V16 (All versions < V16 Upd3), SIMATIC PCS neo (All versions < V3.0 SP1), SIMATIC ProSave (All versions < V17), SIMATIC S7-1500 Software Controller (All versions < V21.8), SIMATIC STEP 7 (TIA Portal) V13 (All versions < V13 SP2 Update 4), SIMATIC STEP 7 (TIA Portal) V14 (All versions < V14 SP1 Update 10), SIMATIC STEP 7 (TIA Portal) V15 (All versions < V15.1 Update 5), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 2), SIMATIC STEP 7 V5 (All versions < V5.6 SP2 HF3), SIMATIC WinCC OA V3.16 (All versions < V3.16 P018), SIMATIC WinCC OA V3.17 (All versions < V3.17 P003), SIMATIC WinCC Runtime Advanced (All versions < V16 Update 2), SIMATIC WinCC Runtime Professional V13 (All versions < V13 SP2 Update 4), SIMATIC WinCC Runtime Professional V14 (All versions < V14 SP1 Update 10), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Update 5), SIMATIC WinCC Runtime Professional V16 (All versions < V16 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 14), SIMATIC WinCC V7.5 (All versions < V7.5 SP1 Update 3), SINAMICS STARTER (All Versions < V5.4 HF2), SINAMICS Startdrive (All Versions < V16 Update 3), SINEC NMS (All versions < V1.0 SP2), SINEMA Server (All versions < V14 SP3), SINUMERIK ONE virtual (All Versions < V6.14), SINUMERIK Operate (All Versions < V6.14). A common component used by the affected applications regularly calls a helper binary with SYSTEM privileges while the call path is not quoted. This could allow a local attacker to execute arbitrary code with SYTEM privileges.

Unquoted Search Path or Element

A vulnerability has been identified in SIMATIC CP 443-1 OPC UA (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl
CVE-2019-6575 7.5 - High - April 17, 2019

A vulnerability has been identified in SIMATIC CP 443-1 OPC UA (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions < V2.7), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants) (All versions < V15.1 Upd 4), SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants) (All versions < V15.1 Upd 4), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V15.1 Upd 4), SIMATIC IPC DiagMonitor (All versions < V5.1.3), SIMATIC NET PC Software V13 (All versions), SIMATIC NET PC Software V14 (All versions < V14 SP1 Update 14), SIMATIC NET PC Software V15 (All versions), SIMATIC RF188C (All versions < V1.1.0), SIMATIC RF600R family (All versions < V3.2.1), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions >= V2.5 < V2.6.1), SIMATIC S7-1500 Software Controller (All versions between V2.5 (including) and V2.7 (excluding)), SIMATIC WinCC OA (All versions < V3.15 P018), SIMATIC WinCC Runtime Advanced (All versions < V15.1 Upd 4), SINEC NMS (All versions < V1.0 SP1), SINEMA Server (All versions < V14 SP2), SINUMERIK OPC UA Server (All versions < V2.1), TeleControl Server Basic (All versions < V3.1.1). Specially crafted network packets sent to affected devices on port 4840/tcp could allow an unauthenticated remote attacker to cause a denial of service condition of the OPC communication or crash the device. The security vulnerability could be exploited by an attacker with network access to the affected systems. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise availability of the OPC communication.

Uncaught Exception