Cyber Resilience

CVE-2024-49775

Critical

Published: 16 December 2024

Published
16 December 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0350 87.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49775 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 12.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A heap-based buffer overflow vulnerability, tracked as CVE-2024-49775 and assigned CWE-122, affects multiple Siemens industrial products including Opcenter Execution Foundation, Opcenter Intelligence, Opcenter Quality, Opcenter RDnL, SIMATIC PCS neo V4.0 through V5.0, SINEC NMS when used with UMC, and TIA Portal V16 through V19. The flaw resides in the integrated UMC component across all listed versions prior to the specified updates.

An unauthenticated remote attacker can exploit the issue over the network to execute arbitrary code, as reflected in the CVSS 9.3 rating that emphasizes no required authentication, user interaction, or special conditions.

The official Siemens advisory at https://cert-portal.siemens.com/productcert/html/ssa-928984.html addresses mitigation and patching guidance for the affected products. The associated EPSS score has remained flat at 0.0552 with no material increase since disclosure.

EU & UK References

Vulnerability details

A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2501.0001), Opcenter Intelligence (All versions < V2501.0001), Opcenter Quality (All versions < V2512), Opcenter RDnL (All versions < V2410), SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo…

more

V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SINEC NMS (All versions if operated in conjunction with UMC < V2.15), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions). Affected products contain a heap-based buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to execute arbitrary code.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

All
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References