Siemens User Management Component (UMC)
Plan PatchCVSS 9.8ICS-CERT ICSA-25-254-07Sep 9, 2025
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens User Management Component (UMC) and SIMATIC PCS neo contain memory safety vulnerabilities (buffer overflow and out-of-bounds read) that allow unauthenticated remote attackers to execute arbitrary code or cause denial of service. Exploitation requires network access to TCP ports 4002 or 4004. UMC versions below 2.15.1.3 are affected. SIMATIC PCS neo V4.1, V5.0, and V6.0 have no vendor fix planned or available.
What this means
What could happen
An attacker without authentication could execute arbitrary code on machines running the User Management Component, potentially taking control of PCS neo systems and disrupting production scheduling and process control. Alternatively, they could crash the UMC service, causing loss of management visibility into PLC networks.
Who's at risk
Organizations running Siemens SIMATIC PCS neo (versions 4.1, 5.0, or 6.0) with the User Management Component should be concerned. This affects utilities, water authorities, manufacturing, and any facility using PCS neo for automation planning and PLC management. UMC is typically deployed in the engineering/planning network, but direct exposure to operational networks would amplify risk.
How it could be exploited
An attacker on the network sends a malicious request to TCP port 4002 or 4004 on a machine running UMC. The vulnerability (buffer overflow or similar memory issue) allows the attacker to inject and execute commands without providing credentials. The attacker gains code execution in the UMC process, which has access to SIMATIC PCS neo configuration and device communication.
Prerequisites
- Network access to TCP port 4002 or 4004 on a machine running UMC
- UMC running a vulnerable version (User Management Component versions before 2.15.1.3, or SIMATIC PCS neo V4.1, V5.0, V6.0)
- No authentication required
remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects control system management softwareno patch available for SIMATIC PCS neo V4.1, V5.0, and V6.0
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (4)
1 with fix1 pending2 EOL
ProductAffected VersionsFix Status
SIMATIC PCS neo V6.0All versionsNo fix yet
User Management Component (UMC)< 2.15.1.32.15.1.3
SIMATIC PCS neo V4.1All versionsNo fix (EOL)
SIMATIC PCS neo V5.0All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3User Management Component (UMC)
HOTFIXUpdate User Management Component (UMC) to version 2.15.1.3 or later
WORKAROUNDFor SIMATIC PCS neo V4.1 and V5.0 systems where no fix is available, block TCP port 4002 at the firewall or host level to prevent external access to UMC
All products
WORKAROUNDFor systems not using RT Server machine type, block TCP port 4004 at the firewall or host level
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIMATIC PCS neo V4.1, SIMATIC PCS neo V5.0. Apply the following compensating controls:
HARDENINGIsolate UMC machines and SIMATIC PCS neo systems behind a firewall; do not expose them directly to the internet or untrusted networks
HARDENINGIf remote access to PCS neo systems is required, use a VPN concentrator or jump server rather than direct network exposure
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2e3eb500-04b3-4fb7-81e7-3858885ff320Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.