OTPulse
FeedAboutContact

Siemens NX

Plan Patch7.8ICS-CERT ICSA-26-043-08Feb 10, 2026
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Siemens NX contains a missing data validation vulnerability in the PDF export process. When processing CGM (Computer Graphics Metafile) input files, the application does not properly validate data integrity. An attacker with local access can craft a malicious CGM file that, when opened and exported to PDF, could lead to arbitrary code execution. The vulnerability affects NX versions prior to 2512.

What this means
What could happen
An attacker with local access to a system running Siemens NX could craft a malicious file that, when exported to PDF, could execute arbitrary code with the privileges of the NX process.
Who's at risk
Organizations using Siemens NX for design, engineering, and CAD work should be aware of this vulnerability. This affects manufacturing, automotive, aerospace, and industrial equipment design teams who rely on NX for product modeling and documentation. The risk is primarily to the engineering workstations themselves, not to production systems or OT equipment directly, unless NX is used to generate control documents or configurations for industrial systems.
How it could be exploited
An attacker would need to gain local access to a machine running Siemens NX, then provide a crafted CGM (Computer Graphics Metafile) input file. When a user opens this file and exports it to PDF, the missing validation allows the attacker's code to execute during the export process.
Prerequisites
  • Local access to the system running Siemens NX
  • User action required: the user must open a malicious CGM file and export it to PDF
  • Affected NX version prior to 2512
Local access requiredUser interaction required (opening malicious file)Potential arbitrary code executionLow EPSS score indicates low exploitation likelihood in the wild
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
NX< 25122512
NX (Managed Mode)< 25122512
Remediation & Mitigation
0/2
Do now
0/1
WORKAROUNDDo not open or import untrusted CGM files in Siemens NX
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Siemens NX to version 2512 or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/f885e60b-fa3f-496f-8e6c-84a55fdab2ff
Siemens NX | CVSS 7.8 - OTPulse