Siemens User Management Component (UMC)

Plan Patch7.5ICS-CERT ICSA-25-135-09May 13, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Siemens User Management Component (UMC) contains three vulnerabilities (CWE-125 out-of-bounds read, CWE-787 out-of-bounds write) in its network service that allow an unauthenticated remote attacker to cause denial of service by crashing the UMC process. The vulnerability affects all versions of TIA Portal (V17-V20), SIMATIC PCS neo (V4.1, V5.0), SINEC NMS (versions before 4.0), SINEMA Remote Connect (all versions), and UMC itself (versions before 2.15.1.1). Exploitation requires network access to the affected machine on TCP ports 4002 or 4004. Siemens has released fixes for UMC (v2.15.1.1) and SINEC NMS (v4.0) but states no fix is planned for PCS neo V4.1 and no fix is currently available for PCS neo V5.0, SINEMA Remote Connect, or TIA Portal versions.

What this means

What could happen

An unauthenticated attacker on your network could cause the User Management Component or dependent systems (TIA Portal, SINEC NMS, PCS neo, SINEMA Remote Connect) to become unavailable, disrupting engineering workstations and halting access to control system configuration or monitoring.

Who's at risk

Engineering teams using Siemens automation products should care: TIA Portal V17-V20, SINEC NMS, SIMATIC PCS neo V4.1 and V5.0, SINEMA Remote Connect, and standalone User Management Component (UMC). Impacts engineering workstations and their ability to configure, monitor, or manage Siemens control systems.

How it could be exploited

An attacker with network access to ports 4002 or 4004 on machines running UMC can send specially crafted traffic that triggers a buffer overflow or out-of-bounds memory access, crashing the UMC service and making the device unresponsive. No authentication is required.

Prerequisites

Network access to TCP ports 4002 or 4004 on a machine with UMC installed
No authentication credentials required
UMC running on an unpatched version

remotely exploitableno authentication requiredlow complexity attackaffects engineering/configuration systemsno fix planned for several products

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (9)

2 with fix6 pending1 EOL

ProductAffected VersionsFix Status

SIMATIC PCS neo V4.1All versionsNo fix (EOL)

SIMATIC PCS neo V5.0All versionsNo fix yet

SINEC NMS< 4.04.0

SINEMA Remote ConnectAll versionsNo fix yet

Totally Integrated Automation Portal (TIA Portal) V17All versionsNo fix yet

Totally Integrated Automation Portal (TIA Portal) V18All versionsNo fix yet

Totally Integrated Automation Portal (TIA Portal) V19All versionsNo fix yet

Totally Integrated Automation Portal (TIA Portal) V20All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

User Management Component (UMC)

WORKAROUNDBlock TCP ports 4002 and 4004 at the firewall for machines with UMC installed that are not part of networked deployments

All products

WORKAROUNDBlock TCP port 4004 completely if no RT server machines are used in your environment

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

User Management Component (UMC)

HOTFIXUpdate User Management Component (UMC) to version 2.15.1.1 or later

Mitigations - no patch available

0/2

SIMATIC PCS neo V4.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate engineering workstations and TIA Portal systems from untrusted networks

HARDENINGRestrict network access to UMC-dependent systems using firewalls and VPNs for remote engineering access

CVEs (3)

CVE-2025-30174 CVE-2025-30175 CVE-2025-30176

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2cc3aaeb-0496-46fe-84ee-33c5e7cb3c1d