Siemens Simcenter Femap and Parasolid
Plan Patch7.8ICS-CERT ICSA-22-258-02Sep 13, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Siemens Parasolid and Simcenter Femap are affected by multiple file parsing vulnerabilities in X_T file format readers. These include buffer overflow (CWE-787), out-of-bounds read (CWE-125), and undefined behavior (CWE-824) vulnerabilities. If a user opens a malicious X_T file, an attacker can execute arbitrary code in the context of the application and user account. Affected versions: Parasolid V33.1 (<33.1.262), V34.0 (<34.0.252), V34.1 (<34.1.242), V35.0 (<35.0.161); Simcenter Femap V2022.1 (<2022.1.3), V2022.2 (<2022.2.2). These are not remotely exploitable and no public exploits currently exist.
What this means
What could happen
An attacker who tricks a user into opening a malicious X_T design file can execute arbitrary code on the engineering workstation running Simcenter Femap or Parasolid, potentially compromising process designs, simulations, or manufacturing workflows.
Who's at risk
Organizations using Simcenter Femap (CAD/simulation software) or Parasolid (3D geometric modeling library) on engineering workstations should be concerned. This affects companies that create or modify 3D designs, mechanical simulations, or manufacturing process plans—including automotive, aerospace, equipment manufacturers, and engineering consulting firms. The risk is highest if X_T files are shared externally or across untrusted networks.
How it could be exploited
An attacker crafts a malicious X_T file (a 3D geometry/modeling format) and tricks a user into opening it with Simcenter Femap or Parasolid. The file parsing vulnerabilities (buffer overflow, out-of-bounds access) in the X_T file reader trigger during file import, allowing the attacker to execute code in the context of the user's account on that workstation.
Prerequisites
- User must open a malicious X_T file with Simcenter Femap or Parasolid
- File must be delivered via email attachment, download link, or USB—social engineering attack
- No special credentials or network access required
User interaction required (file opening)No authentication requiredLow complexity attack (crafted malicious file)High CVSS (7.8)Affects engineering/design workstations
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
Parasolid V33.1<V33.1.26233.1.262
Parasolid V33.1≥ V33.1.262 <V33.1.26333.1.263
Parasolid V34.0<V34.0.25234.0.252
Parasolid V34.1<V34.1.24234.1.242
Parasolid V35.0<V35.0.16135.0.161
Parasolid V35.0≥ V35.0.161 <V35.0.16435.0.164
Simcenter Femap V2022.1<V2022.1.32022.1.3
Simcenter Femap V2022.2<V2022.2.22022.2.2
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDDo not open X_T files from untrusted or unexpected sources; block unsolicited email attachments
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
Parasolid V33.1
HOTFIXUpdate Parasolid V33.1 to version 33.1.263 or later
Parasolid V34.0
HOTFIXUpdate Parasolid V34.0 to version 34.0.252 or later
Parasolid V34.1
HOTFIXUpdate Parasolid V34.1 to version 34.1.242 or later
Parasolid V35.0
HOTFIXUpdate Parasolid V35.0 to version 35.0.164 or later
Simcenter Femap V2022.1
HOTFIXUpdate Simcenter Femap V2022.1 to version 2022.1.3 or later
Simcenter Femap V2022.2
HOTFIXUpdate Simcenter Femap V2022.2 to version 2022.2.2 or later
Long-term hardening
0/1HARDENINGTrain users on email phishing and social engineering attacks; establish a policy for handling design files from external sources
CVEs (20)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9a622b67-ebc0-4412-ab11-1c6295be89d8