CVE-2024-33698 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial automation software in manufacturing, process control, or critical infrastructure environments. Priority attention for environments with externally accessible engineering workstations, distributed control systems with UMC network exposure, or multi-site deployments relying on UMC for centralized user management. Security teams responsible for OT/ICS asset inventory, patch management, and network segmentation should prioritize this vulnerability due to its critical severity and unauthenticated exploitation vector.

Technical summary

The vulnerability exists in the User Management Component (UMC) integrated across Siemens' industrial software suite. A heap-based buffer overflow can be triggered remotely without authentication, enabling arbitrary code execution with the privileges of the UMC service. The UMC component typically listens on TCP ports 4002 and 4004 for inter-process communication and RT server functionality. The attack surface is network-accessible in default configurations, with no required user interaction or privileges. The vulnerability affects 11 distinct product versions spanning manufacturing execution systems (Opcenter), distributed control systems (SIMATIC PCS neo), network management (SINEC NMS), remote connectivity (SINEMA Remote Connect Client), and engineering workstations (TIA Portal). Remediation complexity varies: some products have specific versioned patches, others require component-level updates, and two product versions have no planned fixes necessitating compensating controls.

Defensive priority

Critical

Recommended defensive actions

• Apply vendor patches where available: TIA Portal V17 Update 8+, V18 Update 5+, V19 Update 3+; Opcenter Quality V2406+; Opcenter RDnL V2410+; SINEMA Remote Connect Client V3.2 SP3+; SIMATIC PCS neo V4.1 Update 2+ or V5.0+
• For SINEC NMS, update UMC component to V2.15.1.1 or later compatible version
• For products without fixes (SIMATIC PCS neo V4.0, TIA Portal V16), implement network segmentation to isolate affected systems
• Filter TCP ports 4002 and 4004 to restrict connections to only IP addresses of UMC machines within the UMC network using external firewall rules
• If RT server machines are not deployed, completely block port 4004
• Review CISA ICS recommended practices for defense-in-depth strategies in industrial control environments
• Monitor Siemens ProductCERT advisories for additional product additions or remediation updates

Evidence notes

CVE published 2024-09-10; advisory ICSA-24-256-03 initially published same date. Advisory revision history shows seven updates through 2025-10-14, with key expansions: 2024-10-08 added TIA Portal V19 fix; 2024-11-12 added Opcenter Execution Foundation, Opcenter Quality, Opcenter RDL, and TIA Portal V18 fix; 2025-01-14 added SIMATIC PCS neo V5.0 fix and removed SIMATIC Information Server products as not affected; 2025-03-11 added SINEMA Remote Connect Client; 2025-05-13 updated SINEC NMS remediation; 2025-10-14 added Opcenter RDnL and Opcenter Quality remediation. CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H confirmed from source. No KEV listing as of source data.

Official resources