Siemens User Management Component (UMC)

Act Now9.8ICS-CERT ICSA-25-254-07Sep 9, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens User Management Component (UMC) contains multiple vulnerabilities (buffer overflow and out-of-bounds read) that allow an unauthenticated remote attacker to execute arbitrary code or cause denial of service. The vulnerability affects UMC versions prior to 2.15.1.3 and is integrated into SIMATIC PCS neo V4.1, V5.0, and V6.0. UMC is typically deployed as a central authentication and authorization service for Siemens automation environments, listening on TCP ports 4002 and 4004.

What this means

What could happen

An attacker with network access to UMC could execute arbitrary commands on the User Management server without credentials, potentially compromising the engineering network that controls SIMATIC automation systems. This could allow the attacker to modify process configurations, disable safety interlocks, or shut down production.

Who's at risk

Water utilities and electric utilities using Siemens SIMATIC PCS neo as their supervisory control or engineering environment are affected. This includes organizations relying on PCS neo for process automation, HMI/SCADA integration, or centralized user authentication across multiple PLCs or RTUs. Organizations using standalone User Management Component for centralized engineering access control are also at risk.

How it could be exploited

An attacker sends a specially crafted network packet to TCP port 4002 or 4004 on a machine running vulnerable UMC software. The buffer overflow or out-of-bounds read flaw in the UMC service is triggered, allowing code execution. The attacker gains the privileges of the UMC service, typically system-level on the host, and can then interact with connected SIMATIC controllers or modify authorization policies.

Prerequisites

Network reachability to TCP port 4002 or 4004 on the UMC host
UMC version prior to 2.15.1.3 or SIMATIC PCS neo V4.1, V5.0, V6.0 installed
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)no patch available for SIMATIC PCS neo V4.1 and V5.0affects engineering/control network

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

1 with fix1 pending2 EOL

ProductAffected VersionsFix Status

SIMATIC PCS neo V6.0All versionsNo fix yet

User Management Component (UMC)< 2.15.1.32.15.1.3

SIMATIC PCS neo V4.1All versionsNo fix (EOL)

SIMATIC PCS neo V5.0All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

User Management Component (UMC)

WORKAROUNDBlock inbound TCP traffic to ports 4002 and 4004 at the network edge (firewall rules) for UMC servers not requiring remote access

WORKAROUNDIf UMC deployment does not use 'RT Server' machine type, block port 4004 everywhere without impact to other UMC machine types

HARDENINGDeploy UMC servers behind a firewall and remove direct internet accessibility

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

User Management Component (UMC)

HARDENINGRestrict network access to UMC to authorized engineering workstations and authorized remote access points only using firewall rules

All products

HOTFIXUpdate User Management Component to version 2.15.1.3 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC PCS neo V4.1, SIMATIC PCS neo V5.0. Apply the following compensating controls:

HARDENINGFor SIMATIC PCS neo V4.1 and V5.0 (no fixes planned), implement network segmentation to isolate the engineering workstation network from production and business networks

CVEs (4)

CVE-2025-40795 CVE-2025-40796 CVE-2025-40797 CVE-2025-40798

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2e3eb500-04b3-4fb7-81e7-3858885ff320