Siemens User Management Component (UMC)

Plan PatchCVSS 7.5ICS-CERT ICSA-25-135-09May 13, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens User Management Component (UMC) contains three vulnerabilities (CWE-125 out-of-bounds read, CWE-787 out-of-bounds write) that allow an unauthenticated remote attacker to cause denial of service. UMC is a shared authentication and user management component used by TIA Portal (engineering software), SIMATIC PCS neo (process control system), SINEC NMS (network management), and SINEMA Remote Connect (remote access tool). An attacker can send a specially crafted request to ports 4002 or 4004 to crash the UMC process, preventing users from logging in or administering affected systems. Siemens has released UMC version 2.15.1.1 and SINEC NMS version 4.0 with fixes. SIMATIC PCS neo V4.1 will not be patched. SIMATIC PCS neo V5.0 and SINEMA Remote Connect have no fix available yet. TIA Portal V17–V20 depend on UMC for authentication and require the patched UMC component.

What this means

What could happen

An unauthenticated attacker on your network could crash the User Management Component or dependent services (TIA Portal, SINEC NMS, SIMATIC PCS neo) through denial of service, disrupting engineering access and potentially preventing PLC programming or monitoring changes during an outage.

Who's at risk

Engineering teams and system administrators using Siemens automation tools should care. Affected systems include TIA Portal (versions 17–20) on programming workstations, SIMATIC PCS neo (versions 4.1, 5.0) used for process control engineering, SINEC NMS (version <4.0) for network management, and SINEMA Remote Connect for remote access. Any organization that uses Siemens engineering software for PLC programming or SCADA system management is potentially impacted.

How it could be exploited

An attacker with network access to ports 4002 or 4004 can send a crafted request to the UMC service without authentication. The request triggers a buffer overflow or out-of-bounds memory access, crashing the UMC process and any service depending on it for user authentication.

Prerequisites

Network access to TCP port 4002 or 4004 on machines running UMC
UMC service must be running and exposed to the network
No authentication required

remotely exploitableno authentication requiredlow complexityaffects engineering tools and access controlno patch available for SIMATIC PCS neo V4.1 and SINEMA Remote Connect

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (9)

2 with fix6 pending1 EOL

ProductAffected VersionsFix Status

SIMATIC PCS neo V4.1All versionsNo fix (EOL)

SIMATIC PCS neo V5.0All versionsNo fix yet

SINEC NMS< 4.04.0

SINEMA Remote ConnectAll versionsNo fix yet

Totally Integrated Automation Portal (TIA Portal) V17All versionsNo fix yet

Totally Integrated Automation Portal (TIA Portal) V18All versionsNo fix yet

Totally Integrated Automation Portal (TIA Portal) V19All versionsNo fix yet

Totally Integrated Automation Portal (TIA Portal) V20All versionsNo fix yet

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDBlock inbound access to TCP ports 4002 and 4004 from untrusted networks using firewall rules

WORKAROUNDIf RT server functionality is not required, block TCP port 4004 completely at the firewall

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

User Management Component (UMC)

HOTFIXUpdate User Management Component (UMC) to version 2.15.1.1 or later

SINEC NMS

HOTFIXFor SINEC NMS, update to version 4.0 or later

SIMATIC PCS neo V5.0

HOTFIXFor TIA Portal V17, V18, V19, V20 or SIMATIC PCS neo V5.0, apply the UMC 2.15.1.1 patch

Mitigations - no patch available

0/1

SIMATIC PCS neo V4.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate UMC-dependent systems (TIA Portal, SINEC NMS, SIMATIC PCS neo workstations) to engineering network segments only, restricting access from production floor and business networks

CVEs (3)

CVE-2025-30174 CVE-2025-30175 CVE-2025-30176

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2cc3aaeb-0496-46fe-84ee-33c5e7cb3c1d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.