CVE-2026-25656
Published: 10 February 2026
Summary
CVE-2026-25656 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Siemens Sinec Nms. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Side-Loading (T1574.002); ranked at the 1.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the vulnerability by applying vendor patches for SINEC NMS V4.0 SP3 and UMC V2.15.2.1 as detailed in Siemens advisory SSA-311973.
Restricts access to configuration change mechanisms, preventing low-privileged users from improperly modifying configuration files to reference malicious DLLs.
Enforces least privilege to ensure low-privileged users lack the permissions needed to modify critical configuration files leading to DLL loading and code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability (CWE-427) allows low-privileged modification of a config file to force loading of attacker-supplied malicious DLLs, directly enabling DLL Side-Loading (T1574.002) that results in arbitrary code execution as SYSTEM and is therefore also Exploitation for Privilege Escalation (T1068).
NVD Description
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3), User Management Component (UMC) (All versions < V2.15.2.1). The affected application permits improper modification of a configuration file by a low-privileged user. This could allow an attacker…
more
to load malicious DLLs, potentially leading to arbitrary code execution with SYSTEM privileges.(ZDI-CAN-28108)
Deeper analysisAI
CVE-2026-25656 affects SINEC NMS in all versions prior to V4.0 SP3 and the User Management Component (UMC) in all versions prior to V2.15.2.1. The vulnerability stems from improper modification of a configuration file by a low-privileged user (CWE-427), enabling the loading of malicious DLLs. This can potentially lead to arbitrary code execution with SYSTEM privileges. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-10.
A low-privileged local user can exploit the issue by altering the configuration file to reference a malicious DLL, requiring low attack complexity with no user interaction. Successful exploitation grants arbitrary code execution at SYSTEM privilege level, resulting in high impacts to confidentiality, integrity, and availability.
Siemens has published security advisory SSA-311973 at https://cert-portal.siemens.com/productcert/html/ssa-311973.html, which details the vulnerability and associated mitigations. The issue is canonically reported as ZDI-CAN-28108.
Details
- CWE(s)