Luxion KeyShot Vulnerabilities in Solid Edge

Monitor7.8SSA-119468May 25, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Solid Edge SE2020 and SE2021 ship with outdated versions of the KeyShot rendering engine (V8 and V9 respectively). These versions contain memory corruption vulnerabilities including buffer overflow (CWE-787), out-of-bounds read (CWE-125), and XML external entity (CWE-611) flaws. A local attacker could trigger these flaws by crafting a malicious project or 3D model file, potentially achieving arbitrary code execution with the privileges of the user running Solid Edge. The vulnerabilities are in third-party code; Siemens is not providing Solid Edge updates but recommends users independently update KeyShot to version 10.2 or later.

What this means

What could happen

Vulnerabilities in the bundled KeyShot rendering engine could allow a local attacker to execute arbitrary code on engineering workstations running Solid Edge, potentially compromising project files and enabling lateral movement into design networks.

Who's at risk

Engineering departments and design teams using Solid Edge SE2020 or SE2021 for CAD design work. This affects any organization where project files may come from external vendors or untrusted sources. The vulnerability is most concerning in environments where engineering workstations have access to operational or critical infrastructure networks.

How it could be exploited

An attacker could craft a malicious file (likely a 3D model or project file) that exploits memory corruption vulnerabilities (buffer overflow, out-of-bounds read/write) in the KeyShot renderer when processed by Solid Edge. This requires the user to open the malicious file on an engineering workstation.

Prerequisites

Local access to engineering workstation or ability to deliver malicious file via email/network share
User interaction required: victim must open a crafted project or model file in Solid Edge
Solid Edge SE2020 or SE2021 with outdated bundled KeyShot component

Local attack vector (physical or remote desktop)User interaction requiredLow complexity exploitationNo patch available from Siemens for affected Solid Edge versionsMemory corruption vulnerabilities (buffer overflow, out-of-bounds access)Default or outdated third-party component

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Solid Edge SE2020All versionsNo fix (EOL)

Solid Edge SE2021All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict file-sharing and email access to engineering workstations; implement controls to prevent opening untrusted 3D model files

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate bundled KeyShot V8 (SE2020) to version 10.2 or later

HOTFIXUpdate bundled KeyShot V9 (SE2021) to version 10.2 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Solid Edge SE2020, Solid Edge SE2021. Apply the following compensating controls:

HARDENINGSegment design networks from operational networks to limit impact of workstation compromise

CVEs (5)

CVE-2021-27488 CVE-2021-27490 CVE-2021-27492 CVE-2021-27494 CVE-2021-27496

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2cb0387e-6300-4e29-986a-ef88cc602341