Siemens Simcenter Femap

Plan Patch7.8ICS-CERT ICSA-25-226-04Aug 12, 2025

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Simcenter Femap contains two file parsing vulnerabilities in STP and BMP file format handling. When a user opens a malicious file in either format, the application can crash or execute arbitrary code. The vulnerabilities affect Simcenter Femap V2406 (before 2406.0003) and V2412 (before 2412.0002). Siemens has released patched versions that correct these issues.

What this means

What could happen

An attacker can trigger a crash or potentially run arbitrary code in Simcenter Femap if a user opens a specially crafted STP or BMP file, compromising the engineering workstation and any connected networks it can access.

Who's at risk

Engineering staff who use Simcenter Femap for mechanical design, simulation, or finite element analysis. This affects design and modeling environments at manufacturing plants, utilities, and engineering firms that rely on Siemens tools. The risk is highest in organizations where design files are shared via email or file servers.

How it could be exploited

An attacker sends a malicious STP or BMP file to an engineer via email or shares it on a file server. When the engineer opens the file in Simcenter Femap, the file parsing vulnerability is triggered, causing either a crash or execution of arbitrary code on the engineering workstation.

Prerequisites

User must manually open a malicious STP or BMP file in Simcenter Femap
Attack requires social engineering to trick user into opening untrusted file
No network access required; local application only

Low complexity attackUser interaction requiredNot remotely exploitableAffects engineering workstations that may have network access to control systems

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Simcenter Femap V2412< 2412.00022412.0002

Simcenter Femap V2406< 2406.00032406.0003

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDDo not open untrusted or unexpected STP files in Simcenter Femap; verify the source before opening

WORKAROUNDDo not open untrusted or unexpected BMP files in Simcenter Femap; verify the source before opening

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Simcenter Femap V2406

HOTFIXUpdate Simcenter Femap V2406 to version 2406.0003 or later

Simcenter Femap V2412

HOTFIXUpdate Simcenter Femap V2412 to version 2412.0002 or later

Long-term hardening

0/3

HARDENINGEducate engineering staff on email security and not opening attachments or files from untrusted sources

HARDENINGRestrict file-sharing access to STP and BMP files to authorized engineering staff only

HARDENINGIsolate engineering workstations from business networks to limit lateral movement if compromised

CVEs (2)

CVE-2025-40762 CVE-2025-40764

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6f9b5059-4b77-4636-a896-0ddda42e2756