Siemens Simcenter Femap

Plan PatchCVSS 7.8ICS-CERT ICSA-25-226-04Aug 12, 2025

Siemens

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Simcenter Femap versions prior to 2406.0003 (V2406 branch) and 2412.0002 (V2412 branch) contain file parsing vulnerabilities in the handling of STP (STEP) and BMP (bitmap) files. When a user opens a malicious STP or BMP file, a buffer overflow (CWE-787) or out-of-bounds read (CWE-125) is triggered, causing application crash or potential arbitrary code execution. Siemens has released patched versions that address both vulnerabilities.

What this means

What could happen

An attacker could trick a user into opening a malicious STP or BMP file in Simcenter Femap, causing the application to crash or potentially execute arbitrary code on the engineering workstation. This could compromise the integrity of design data or allow lateral movement from the workstation into the OT network.

Who's at risk

Engineering teams and CAD/design personnel who use Simcenter Femap for 3D finite element modeling and simulation. Organizations with remote engineering workstations are at higher risk if users receive malicious files via email or external file transfers. This affects Siemens design software environments but does not directly impact running production systems unless the workstation is connected to OT networks.

How it could be exploited

An attacker would need to craft a malicious STP or BMP file and trick a user (typically an engineer or designer) into opening it with Simcenter Femap via email, file share, or social engineering. The vulnerable file parsing code would be triggered on file open, leading to a buffer overflow or out-of-bounds read that could crash the application or execute code with the user's privileges.

Prerequisites

User must open a malicious file
Affected version of Simcenter Femap must be installed
User must have permission to open files from untrusted sources

local execution only (requires user interaction)high CVSS score (7.8)affects engineering workstations with potential OT network access

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Simcenter Femap V2412< 2412.00022412.0002

Simcenter Femap V2406< 2406.00032406.0003

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDTrain users not to open STP or BMP files from untrusted or unsolicited sources

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Simcenter Femap V2406

HOTFIXUpdate Simcenter Femap V2406 to version 2406.0003 or later

Simcenter Femap V2412

HOTFIXUpdate Simcenter Femap V2412 to version 2412.0002 or later

Long-term hardening

0/1

HARDENINGBlock or restrict email attachments containing STP and BMP files at the gateway level

CVEs (2)

CVE-2025-40762 CVE-2025-40764

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6f9b5059-4b77-4636-a896-0ddda42e2756

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.