A critical vulnerability, tracked as CVE-2024-49775, has been discovered in Siemens’ User Management Component (UMC) that could allow attackers to execute arbitrary code. The flaw is a heap-based buffer overflow that impacts industrial control systems used in manufacturing and the energy sector. The UMC is a central component in Siemens’ industrial automation suite, enabling system-wide user management. The vulnerability was discovered by Tenable and disclosed on Thursday.
If exploited, attackers could disrupt operations, exfiltrate data, or manipulate critical systems. Siemens has issued fixes for certain products, but others are still in development. The company recommends restricting access to UMC-related ports and adhering to its operational guidelines for industrial security. The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued guidance, urging organizations to conduct impact analyses and deploy defensive measures. While there are no reported public exploits of this vulnerability, CISA encourages vigilance and recommends reporting any suspected malicious activity.