Siemens Product Family June 2026 Routine Security Update Advisory

Overview

Siemens has released security updates that address vulnerabilities in a number of products it has shipped. the affected products include AI Lightweight Inference Server, Connector for Azure, Database, HiMed Cockpit, SCALANCE Series, SIMATIC Series, SINEC Series, SINAMICS Series, SIPLUS NET, SITRANS, Shopfloor IT Suite, Siemens OPC UA Modelling Editor (SiOME), User Management Component (UMC), and Visual Inspection Cockpit.

Confirmed Vulnerabilities

• Out-of-bounds write vulnerability in OpenSSL affecting Siemens Products (CVE-2025-15467, CVSS 9.8).
• Vulnerability in the password hashing implementation in SINEC INS Before V1.0 SP2 Update 6 (CVE-2026-46749, CVSS 7.5).
• Special element unvalidation vulnerability in SINEC INS Before V1.0 SP2 Update 6 (CVE-2026-46746, CVSS 8.8).
• Privilege escalation vulnerability in SINEC INS Before V1.0 SP2 Update 6 (CVE-2026-46748, CVSS 8.8).
• Information disclosure vulnerability due to insufficient protection of key material in WinCC Certificate Manager (CVE-2026-24349, CVSS 7.1).

Countermeasures

Siemens provided patches or mitigations through an update on 06/09/2026. the main measures include SINEC INS V1.0 SP2 Update 6 and later versions, Connector for Azure V1.8.0 and later versions, Databus V3.3.2 and later versions, SIMATIC HMI Basic Panels V17.9 and later versions, SIMATIC HMI Comfort Panels V17.9 and later versions, SIMATIC HMI Mobile Panels V17 Update 9 and later versions, SIMATIC STEP 7 V5 V5.7 SP4 and later versions, SIMATIC WinCC OA V3.19 P024 and later, V3.20 P012 and later, V3.21 P02 and later, SIMATIC WinCC Runtime Advanced V17 Update 9 and later, SIMATIC WinCC Unified Sequence V21 and later, User Management Component (UMC) V2.15.3.0 and later, SIMATIC WinCC Unified PC Runtime V21 Update 2 and later.

Note

the disclosed vulnerability information was provided in documents SSA-860189, SSA-434797, and SSA-063511.