External risk intelligence

SIMATIC PCS neo User Management Remote Code Execution and Denial of Service.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2025-40795

A critical vulnerability in Siemens' SIMATIC PCS neo and User Management Component, stemming from a stack-based buffer overflow, could allow unauthenticated remote attackers to execute arbitrary code or cause a denial of service. This impacts industrial control and user management systems when accessible over a network

2Halo Surface Signal

Buffer Overflow

Siemens Simatic Pcs Neo

4.15.0before 2.15.1.3

External exposure likelihood

Halo Surface Signal score for CVE-2025-40795

The affected products are industrial control system software and user management components. While these are network-reachable, they are typically deployed within restricted operational technology or internal enterprise environments, not exposed to the public internet in normal deployments.

PCI scan relevance

PCI Relevance for CVE-2025-40795

Yes

CVE-2025-40795 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows an unauthenticated remote attacker to execute arbitrary code. Such a severe finding, particularly one enabling remote code execution, is typically considered an automatic fail in PCI ASV scans due to the high risk of compromise.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in Siemens' SIMATIC PCS neo and User Management Component, potentially allowing unauthenticated attackers to execute code or disrupt services remotely. This issue resides within the integrated User Management Component.

  • Remote attackers could run code or cause disruptions.
  • It impacts industrial control and user management systems.
  • Confirm relevance and assess exposure to industrial systems.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted network request to an unauthenticated system running the vulnerable User Management Component. This could lead to the attacker executing arbitrary code or causing a denial of service.

  • Entry condition: Network access, no authentication required.
  • Trigger point: Vulnerable User Management Component.
  • Resulting risk: Code execution or denial of service.

Live Threat

Current exploitation, exposure, and threat context

The integrated User Management Component within SIMATIC PCS neo could be at risk from an unauthenticated remote attacker due to a stack-based buffer overflow. This could lead to arbitrary code execution or a denial-of-service condition when the system is accessible over a network.

  • System access and control could be compromised.
  • Network-accessible systems may be targeted.
  • Service disruption or unauthorized code execution.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical vulnerability in SIMATIC PCS neo and its User Management Component impacts industrial control systems and user authentication. Ownership will likely fall to the teams managing these operational technology (OT) environments, potentially involving collaboration with IT infrastructure and security teams. The immediate first step is to inventory all instances of the affected software, confirm their network exposure and criticality to operations, and identify the specific asset owners responsible for each deployment. This information will then inform a prioritized remediation plan, considering vendor coordination and maintenance windows.

  • Ownership: OT and security teams manage affected systems.
  • Verify: Deployment reachability and operational criticality.
  • Action: Plan coordinated vendor-supported remediation.

Frequently asked questions

What is SIMATIC PCS neo and the User Management Component?

SIMATIC PCS neo is a process control system used for managing industrial automation. It relies on the integrated User Management Component (UMC) to handle authentication and identity tasks across the software. These components are essential for maintaining secure access to industrial environments, though they operate as software services that facilitate central administration of user accounts and permissions.

What is the stack-based buffer overflow in CVE-2025-40795?

This vulnerability, classified as CWE-121, occurs when the software tries to write more data to a memory buffer than it can hold. Because the UMC component does not properly check the size of incoming data, an attacker can overwrite adjacent memory. In the context of CVE-2025-40795, this memory corruption can allow an attacker to run their own commands on the system or crash the service, leading to a denial of service.

How can an attacker trigger this vulnerability?

An attacker triggers this flaw by sending a specifically formatted network request to a system running the affected UMC software. The vulnerability is reached through the network stack directly; it does not require the attacker to have a valid user account, provide credentials, or interact with the system's login interface. Simply having network connectivity to the vulnerable service is enough to initiate the attack sequence.

Is my system at risk if it is not on the internet?

While CVE-2025-40795 is reachable over a network, Halo Surface Signal notes that products like SIMATIC PCS neo are typically housed within restricted operational technology or internal networks. If your system is truly isolated from both the public internet and untrusted internal segments, the risk is reduced. However, internal exposure still poses a threat if an attacker gains a foothold elsewhere in your private network infrastructure.

What should I do if I run these Siemens products?

Your first step is to inventory all deployments of SIMATIC PCS neo and the standalone User Management Component within your environment. Identify which systems are reachable over the network and assess their operational importance. Coordinate with your OT and security teams to plan for vendor-supported updates, ensuring you schedule these changes during planned maintenance windows to avoid unintended production disruptions.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified