Siemens Simcenter Femap and Nastran

Plan PatchCVSS 7.8ICS-CERT ICSA-26-048-01Feb 10, 2026

Siemens

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Siemens Simcenter Femap and Nastran contain file parsing vulnerabilities in NDB and XDB file handling. When a user opens a malicious NDB or XDB file, memory buffer overflows or reads can occur, potentially causing application crash or arbitrary code execution. Multiple CWEs are involved: CWE-787 (out-of-bounds write), CWE-125 (out-of-bounds read), and CWE-122 (heap-based buffer overflow).

What this means

What could happen

An attacker could craft a malicious XDB or NDB file that, when opened in Simcenter Femap or Nastran, crashes the application or executes arbitrary code with the privileges of the user running the application.

Who's at risk

Engineering and CAE teams who use Siemens Simcenter Femap or Nastran for finite-element analysis and simulation work. Impact is limited to users who open malicious files; the application does not run continuously as a control system process.

How it could be exploited

An attacker sends or hosts a malicious XDB or NDB file and tricks a user into opening it with Simcenter Femap or Nastran. The file parsing vulnerability is triggered during file load, causing memory corruption or code execution.

Prerequisites

User interaction required—attacker must trick engineer or analyst into opening a crafted file
Affected version of Simcenter Femap or Nastran must be installed and accessible to the user

User interaction requiredLow complexity to exploit if user is social engineeredPotentially affects confidentiality, integrity, and availability

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Simcenter Femap< 25122512

Simcenter Nastran< 25122512

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDDo not open XDB or NDB files from untrusted or unknown sources

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Simcenter Femap

HOTFIXUpdate Simcenter Femap to version 2512 or later

Simcenter Nastran

HOTFIXUpdate Simcenter Nastran to version 2512 or later

CVEs (6)

CVE-2026-23715 CVE-2026-23716 CVE-2026-23717 CVE-2026-23718 CVE-2026-23719 CVE-2026-23720

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9e57ed90-973e-49dd-a8ad-b03aa1a8ec0a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.