VDB
CVE-2026-25654
CVE-2026-25654
PUBLISHED
CVSS 8.800000190734863 HIGH
SINEC NMS before V4.0 SP3 contains an Authorization Bypass vulnerability that could allow an attacker to bypass authorization checks, leading to the ability to reset the password of any arbitrary user account. Siemens has released a new version for SINEC NMS and recommends to update to the latest version. The following versions of Siemens SINEC NMS are affected: SINEC NMS CVSS Vendor Equipment Vulnerabilities v3 8.8 Siemens Siemens SINEC NMS Authorization Bypass Through User-Controlled Key Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany
EPSS 0.06% · 18.3th percentile
Risk Scores
CVSS 3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.06%
18.3th percentile
Exploit Intelligence
- CIRCL seen: CVE-2026-25654 (circl-sighting)
- CIRCL seen: CVE-2026-25654 (circl-sighting)
- CIRCL seen: CVE-2026-25654 (circl-sighting)
- https://cert-portal.siemens.com/productcert/html/ssa-605717.html (circl)
Timeline
- Apr 14, 2026 CVE Published
- Apr 14, 2026 PoC Published
- Apr 14, 2026 PoC Published
- Apr 14, 2026 PoC Published
- Apr 14, 2026 Security Advisory
- Apr 14, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-09 advisory
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-111-09.json advisory
- https://www.cve.org/CVERecord?id=CVE-2026-25654 technical
- https://support.industry.siemens.com/cs/ww/en/view/110000760/ vendor
- https://cwe.mitre.org/data/definitions/639.html technical
- https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H technical