Siemens Product Family September 2025 Routine Security Update Advisory

Overview

 

Siemens(https://www.siemens.com) has released a security update that fixes vulnerabilities in products it has supplied. Users of affected products are advised to update to the latest version.

 

Affected Products

 

Industrial Edge Management OS (IEM-OS) all versions

SIMATIC PCS neo V4.1 All versions

SIMATIC PCS neo V5.0 All versions

SIMATIC Technology Package TPCamGen (6ES7823-0FE30-1AA0) All versions

SIMATIC Virtualization as a Service (SIVaaS) All Versions

SIMOTION OA MIIF (6AU1820-3DA20-0AB0) all versions

SIMOTION OACAMGEN (6AU1820-3EA20-0AB0) all versions

SIMOTION OALECO (6AU1820-3HA20-0AB0) all versions

SIMOTION OAVIBX (6AU1820-3CA20-0AB0) all versions

User Management Component (UMC) V2.15.1.3 and earlier versions

 

Resolved Vulnerabilities

 

Rate-unlimited resource allocation vulnerability due to lack of validation of resource boundary values in Industrial Edge Management (CVE-2025-48976, CVSS 7.5) [2]

Incorrect privilege allocation vulnerability in SIMATIC Virtualization as a Service (SIVaaS) due to incorrect authorization of critical resources (CVE-2025-40804, CVSS 9.1) [4] [5

Exception condition unvalidation vulnerability due to poor exception handling in SIMOTION Tools (CVE-2025-43715, CVSS 8.1) [3]

Out-of-bounds read vulnerability in User Management Component (UMC) due to out-of-bounds read (CVE-2025-40796 and 2 others, CVSS 7.5) [1]

Buffer overflow attack vulnerability due to a stack-based buffer overflow in the User Management Component (UMC) (CVE-2025-40795, CVSS 9.8) [1]

 

Vulnerability Patches

 

The following Vulnerability Patches or mitigations were made available in the September 09, 2025 update. For more information on Vulnerability Patches, please see the reference documentation.

SIMATIC PCS neo V4.1

SIMATIC PCS neo V5.0

Update to User Management Component (UMC) V2.15.1.3 and later versions

Industrial Edge Management OS (IEM-OS)

SIMATIC Technology Package TPCamGen (6ES7823-0FE30-1AA0)

Simotion oa miif (6au1820-3da20-0ab0)

Simotion oacamgen (6au1820-3ea20-0ab0)

Simotion oaleco (6au1820-3ha20-0ab0)

Simotion oavibx (6au1820-3ca20-0ab0)

SIMATIC Virtualization as a Service (SIVaaS)

 

 

Referenced Sites

 

[1] SSA-722410 V1.0: Multiple Vulnerabilities in User Management Component (UMC)

https://cert-portal.siemens.com/productcert/html/ssa-722410.html

[2] SSA-640476 V1.0: Denial of Service Vulnerability in Industrial Edge Management

https://cert-portal.siemens.com/productcert/html/ssa-640476.html

[3] SSA-563922 V1.0: Local Privilege Escalation Vulnerability in SIMOTION Tools

https://cert-portal.siemens.com/productcert/html/ssa-563922.html

[4] SSA-534283 V1.0: Insecure File Share Vulnerability in SIMATIC Virtualization as a Service (SIVaaS)

https://cert-portal.siemens.com/productcert/html/ssa-534283.html