Denial of Service Vulnerabilities in User Management Component (UMC)
Plan Patch7.5SSA-614723May 13, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens User Management Component (UMC) contains three denial of service vulnerabilities (CWE-125 out-of-bounds read, CWE-787 out-of-bounds write) that allow an unauthenticated remote attacker to crash the service. The vulnerabilities affect UMC versions prior to 2.15.1.1, SINEC NMS prior to 4.0, TIA Portal versions 17–20, SINEMA Remote Connect (all versions), and SIMATIC PCS neo versions 4.1 and 5.0. Exploitation requires only network access to the UMC port and no valid credentials. A successful attack disables the authentication service, preventing legitimate engineering workstations and remote technicians from connecting until the component is manually restarted.
What this means
What could happen
An unauthenticated attacker on your network could send specially crafted requests to crash the User Management Component, causing engineering workstations and remote access tools to lose authentication services temporarily until the component restarts.
Who's at risk
This affects any organization using Siemens automation platforms for engineering and remote access: water authorities and utilities using TIA Portal for PLC/SCADA programming, remote technicians accessing systems via SINEMA Remote Connect, network management stations running SINEC NMS, and operators using SIMATIC PCS neo for process control. The User Management Component is the common authentication backbone for all these tools.
How it could be exploited
An attacker with network access to the UMC port (typically port 443 for HTTPS) can send malformed requests that trigger buffer overflow or out-of-bounds read conditions in the user management component. This causes the service to crash, denying legitimate engineering staff and remote technicians access to systems that depend on UMC for authentication until manual restart.
Prerequisites
- Network access to User Management Component port (typically port 443)
- No authentication required
- UMC deployed and accessible from attacker's network segment
Remotely exploitableNo authentication requiredLow complexity attackMultiple products without available patchesAffects engineering access and remote operations
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (9)
2 with fix7 EOL
ProductAffected VersionsFix Status
SINEC NMS< 4.04.0
User Management Component (UMC)< 2.15.1.12.15.1.1
SINEMA Remote ConnectAll versionsNo fix (EOL)
Totally Integrated Automation Portal (TIA Portal) V18All versionsNo fix (EOL)
Totally Integrated Automation Portal (TIA Portal) V19All versionsNo fix (EOL)
Totally Integrated Automation Portal (TIA Portal) V20All versionsNo fix (EOL)
SIMATIC PCS neo V5.0All versionsNo fix (EOL)
Totally Integrated Automation Portal (TIA Portal) V17All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1User Management Component (UMC)
WORKAROUNDRestrict network access to UMC ports using firewall rules; limit to known engineering workstations and remote access gateways only
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
User Management Component (UMC)
HOTFIXUpdate UMC to version 2.15.1.1 or later
SINEC NMS
HOTFIXUpdate SINEC NMS to version 4.0 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SINEMA Remote Connect, Totally Integrated Automation Portal (TIA Portal) V18, Totally Integrated Automation Portal (TIA Portal) V19, Totally Integrated Automation Portal (TIA Portal) V20, SIMATIC PCS neo V5.0, Totally Integrated Automation Portal (TIA Portal) V17, SIMATIC PCS neo V4.1. Apply the following compensating controls:
HARDENINGMonitor UMC service health and implement automated restart capability for unplanned service crashes
HARDENINGPlan upgrades for TIA Portal V17–V20 and PCS neo V4.1 and V5.0 as fixes become available from Siemens
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3ed7a237-b68b-4878-92b1-cc188672c30e