Introduction
Remote code execution in industrial control systems can disrupt manufacturing, energy, and critical infrastructure operations worldwide. CVE-2025-40795 exposes Siemens SIMATIC PCS neo installations to unauthenticated attacks that could halt production or compromise safety-critical processes.
About Siemens and SIMATIC PCS neo: Siemens is a global leader in industrial automation and digitalization, with SIMATIC PCS neo serving as its flagship distributed control system for process industries. These systems are deployed in thousands of manufacturing plants, power generation sites, and critical infrastructure facilities globally. The User Management Component (UMC) is a core authentication and authorization service integrated across Siemens' industrial product lines, making its security foundational to operational technology environments.
Technical Information
CVE-2025-40795 is a stack-based buffer overflow in the integrated User Management Component (UMC) of SIMATIC PCS neo. The vulnerability arises from improper bounds checking when handling network requests. An unauthenticated remote attacker can send specially crafted data to the UMC service, causing the application to write beyond the bounds of a stack-allocated buffer. This can overwrite adjacent memory, including function return addresses, leading to arbitrary code execution or a denial of service.
Key technical points:
- The flaw is present in all versions of SIMATIC PCS neo V4.1 and V5.0, as well as UMC versions before V2.15.1.3.
- The UMC component is typically accessible over TCP ports 4002 and 4004.
- No authentication is required for exploitation, significantly increasing the risk in exposed environments.
- The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow).
No public code snippets or proof of concept are available at this time.
Affected Systems and Versions
- SIMATIC PCS neo V4.1 (all versions)
- SIMATIC PCS neo V5.0 (all versions)
- User Management Component (UMC) versions before V2.15.1.3
Any deployment of these products with UMC versions prior to V2.15.1.3 is vulnerable. The attack surface includes any configuration where the UMC service is network-accessible, especially if TCP ports 4002 or 4004 are exposed to untrusted networks.
Vendor Security History
Siemens has faced multiple critical vulnerabilities in the UMC component across 2024 and 2025. Notable examples include:
- CVE-2024-33698: Heap-based buffer overflow in UMC, CVSS 9.8
- CVE-2024-49775: Heap-based buffer overflow in UMC, CVSS 9.8
Siemens generally issues advisories and patches in a timely manner, but the recurrence of memory safety issues in UMC suggests ongoing challenges in secure development for this component.