A critical security flaw has been discovered in Siemens’ User Management Component (UMC), potentially exposing numerous industrial control systems to remote attacks.
The vulnerability, identified as CVE-2024-49775, allows unauthenticated, remote attackers to execute arbitrary code on affected systems, posing a severe risk to industrial and enterprise environments.
The heap-based buffer overflow vulnerability affects multiple Siemens products that integrate the UMC component.
These include Opcenter Execution Foundation, Opcenter Intelligence, Opcenter Quality, Opcenter RDL, SIMATIC PCS neo, SINEC NMS, and Totally Integrated Automation Portal (TIA Portal).
With a CVSS v3.1 base score of 9.8 and a CVSS v4.0 score of 9.3, the vulnerability is classified as critical, reflecting its potential for widespread exploitation and severe impact.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The remote attack vector requires no authentication or user interaction, making it particularly dangerous.
Siemens has acknowledged the vulnerability and is actively working on permanent fixes for affected products. In the meantime, the company has issued specific workarounds and mitigations to reduce the risk.
Key mitigation measures include:
- Filtering ports 4002 and 4004 to allow connections only from machines within the UMC network.
- Blocking port 4004 entirely if no RT server machines are in use.
- Implementing network segmentation to isolate affected systems.
- Restricting network access to the affected systems, allowing only trusted IP addresses.
For some products, such as SINEC NMS, Siemens recommends updating to version V3.0 SP2 or later and upgrading UMC to V2.15 or later. Users of SIMATIC PCS neo-V5.0 should upgrade to Version V5.0 Update 1 or newer.
The vulnerability’s impact extends beyond immediate security concerns. If exploited, it could lead to unauthorized control of industrial processes, data theft, or disruption of operations.
Given the critical nature of industrial control systems and automation software, the potential consequences of a successful attack are severe.
As of now, there is no evidence of public proof-of-concept exploits or active exploitation of this vulnerability. However, cybersecurity experts warn that the window of opportunity to patch before threat actors strike can close rapidly.
Siemens strongly advises customers to apply the recommended mitigations promptly and to stay vigilant for upcoming patches and updates.
The company also emphasizes the importance of following general security best practices, such as protecting network access to devices with appropriate mechanisms and configuring environments according to Siemens’ operational guidelines for Industrial Security.
As the situation develops, industrial control system professionals and administrators are urged to closely monitor Siemens’ security advisories and take swift action to protect their systems from this critical vulnerability.