Siemens Solid Edge

Plan PatchCVSS 7.8ICS-CERT ICSA-26-043-05Nov 17, 2025

Siemens

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Solid Edge contains an out-of-bounds read vulnerability in the PS/IGES Parasolid Translator Component when processing IGS (IGES format) files. If a user opens a malicious IGS file, the application may crash or arbitrary code may be executed with user privileges. The vulnerability is triggered only when a user explicitly opens a crafted IGS file.

What this means

What could happen

An attacker could craft a malicious IGS (IGES format) file that, when opened in Solid Edge, crashes the application or executes arbitrary code on the engineering workstation running the software.

Who's at risk

Engineering and design departments that use Solid Edge for CAD/CAM design work. This affects workstations running Solid Edge, particularly those where users receive or exchange IGS format files with external parties or from untrusted sources.

How it could be exploited

An attacker creates a malicious IGS file and tricks a Solid Edge user into opening it (via email, shared storage, or social engineering). The out-of-bounds read in the Parasolid Translator component is triggered, causing a crash or, potentially, code execution with the privileges of the user who opened the file.

Prerequisites

User interaction required: the victim must be tricked into opening a malicious IGS file
Solid Edge must be installed on the workstation
The attacker needs ability to deliver the malicious file to the target (email, web, shared drive, etc.)

Requires user interaction (file open)Low complexity attackCould lead to code execution on engineering workstationIGS files are common in design workflows

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

PS/IGES Parasolid Translator Component< 29.0.25829.0.258

Solid Edge<V226.00 Update 03226.00 Update 03

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDRestrict file execution from untrusted sources; disable auto-opening of IGS files from email and web downloads

HARDENINGTrain users not to open IGS files from unknown or untrusted sources

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Solid Edge

HOTFIXUpdate Solid Edge to version 226.00 Update 03 or later

CVEs (1)

CVE-2025-40936

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ca1f232c-0a66-4089-85be-870f4231d37b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.