Siemens Simcenter Femap and Parasolid

Plan PatchCVSS 7.8ICS-CERT ICSA-22-258-02Sep 13, 2022

Siemens

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Siemens Parasolid and Simcenter Femap are affected by multiple file parsing vulnerabilities in X_T file format readers. These include buffer overflow (CWE-787), out-of-bounds read (CWE-125), and undefined behavior (CWE-824) vulnerabilities. If a user opens a malicious X_T file, an attacker can execute arbitrary code in the context of the application and user account. Affected versions: Parasolid V33.1 (<33.1.262), V34.0 (<34.0.252), V34.1 (<34.1.242), V35.0 (<35.0.161); Simcenter Femap V2022.1 (<2022.1.3), V2022.2 (<2022.2.2). These are not remotely exploitable and no public exploits currently exist.

What this means

What could happen

An attacker who tricks a user into opening a malicious X_T design file can execute arbitrary code on the engineering workstation running Simcenter Femap or Parasolid, potentially compromising process designs, simulations, or manufacturing workflows.

Who's at risk

Organizations using Simcenter Femap (CAD/simulation software) or Parasolid (3D geometric modeling library) on engineering workstations should be concerned. This affects companies that create or modify 3D designs, mechanical simulations, or manufacturing process plans—including automotive, aerospace, equipment manufacturers, and engineering consulting firms. The risk is highest if X_T files are shared externally or across untrusted networks.

How it could be exploited

An attacker crafts a malicious X_T file (a 3D geometry/modeling format) and tricks a user into opening it with Simcenter Femap or Parasolid. The file parsing vulnerabilities (buffer overflow, out-of-bounds access) in the X_T file reader trigger during file import, allowing the attacker to execute code in the context of the user's account on that workstation.

Prerequisites

User must open a malicious X_T file with Simcenter Femap or Parasolid
File must be delivered via email attachment, download link, or USB—social engineering attack
No special credentials or network access required

User interaction required (file opening)No authentication requiredLow complexity attack (crafted malicious file)High CVSS (7.8)Affects engineering/design workstations

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

Parasolid V33.1<V33.1.26233.1.262

Parasolid V33.1≥ V33.1.262 <V33.1.26333.1.263

Parasolid V34.0<V34.0.25234.0.252

Parasolid V34.1<V34.1.24234.1.242

Parasolid V35.0<V35.0.16135.0.161

Parasolid V35.0≥ V35.0.161 <V35.0.16435.0.164

Simcenter Femap V2022.1<V2022.1.32022.1.3

Simcenter Femap V2022.2<V2022.2.22022.2.2

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDDo not open X_T files from untrusted or unexpected sources; block unsolicited email attachments

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

Parasolid V33.1

HOTFIXUpdate Parasolid V33.1 to version 33.1.263 or later

Parasolid V34.0

HOTFIXUpdate Parasolid V34.0 to version 34.0.252 or later

Parasolid V34.1

HOTFIXUpdate Parasolid V34.1 to version 34.1.242 or later

Parasolid V35.0

HOTFIXUpdate Parasolid V35.0 to version 35.0.164 or later

Simcenter Femap V2022.1

HOTFIXUpdate Simcenter Femap V2022.1 to version 2022.1.3 or later

Simcenter Femap V2022.2

HOTFIXUpdate Simcenter Femap V2022.2 to version 2022.2.2 or later

Long-term hardening

0/1

HARDENINGTrain users on email phishing and social engineering attacks; establish a policy for handling design files from external sources

CVEs (20)

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9a622b67-ebc0-4412-ab11-1c6295be89d8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.