Siemens Simcenter Femap and Nastran

Plan Patch7.8ICS-CERT ICSA-26-048-01Feb 10, 2026

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Siemens Simcenter Femap and Nastran contain multiple file parsing vulnerabilities in NDB and XDB format handling. A user tricked into opening a malicious file could cause the application to crash or potentially allow arbitrary code execution. The vulnerabilities are buffer overflow, buffer over-read, and out-of-bounds write flaws triggered during file parsing.

What this means

What could happen

If an operator opens a malicious file in Femap or Nastran, the application could crash and become unavailable, or an attacker could execute arbitrary commands on the engineering workstation with the privileges of the user running the software.

Who's at risk

Engineering organizations, automotive suppliers, and aerospace contractors that use Siemens Simcenter Femap and Nastran for finite element analysis and structural simulation should prioritize this update. The products are commonly used by design engineers and analysts on shared engineering workstations.

How it could be exploited

An attacker sends a malicious NDB or XDB file to an engineer and tricks them into opening it with Femap or Nastran. The file triggers a buffer overflow or buffer over-read vulnerability during parsing, allowing the attacker to crash the application or execute code on the workstation.

Prerequisites

User must open a malicious file in Femap or Nastran
File must be in NDB or XDB format

Requires user interaction (file open)Local attack vector onlyAffects engineering workstations with design softwareMultiple parsing vulnerabilities (CWE-787, CWE-125, CWE-122)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Simcenter Femap< 25122512

Simcenter Nastran< 25122512

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDDo not open untrusted XDB or NDB files from unknown sources in Femap or Nastran

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Simcenter Femap

HOTFIXUpdate Simcenter Femap to version 2512 or later

Simcenter Nastran

HOTFIXUpdate Simcenter Nastran to version 2512 or later

CVEs (6)

CVE-2026-23715 CVE-2026-23716 CVE-2026-23717 CVE-2026-23718 CVE-2026-23719 CVE-2026-23720

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9e57ed90-973e-49dd-a8ad-b03aa1a8ec0a