File Parsing Vulnerabilities in Simcenter Femap Before V2506

Plan Patch7.8SSA-674084Aug 12, 2025

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Simcenter Femap contains a file parsing vulnerability triggered when the application reads files in STP (STEP) or BMP (bitmap) file format. If a user opens a malicious file crafted in one of these formats, the application could crash or potentially execute arbitrary code due to improper handling of file data structures (buffer overflow and out-of-bounds memory access).

What this means

What could happen

An attacker could trick an engineer into opening a malicious CAD file, causing Femap to crash and interrupt design work, or potentially running arbitrary code on the engineering workstation with the user's privileges.

Who's at risk

Engineering teams and mechanical designers who use Simcenter Femap for CAD/CAM modeling. This includes equipment manufacturers, aerospace/defense contractors, automotive suppliers, and any organization using Femap for structural analysis and design work on critical infrastructure components or products.

How it could be exploited

An attacker crafts a malicious STP or BMP file and sends it to a Femap user (via email, file sharing, or website). When the user opens the file in Femap, the application attempts to parse the malicious data, triggering a buffer overflow or out-of-bounds memory access that crashes the application or allows code execution.

Prerequisites

User must open a malicious STP or BMP file in Femap
The user must be running a vulnerable version of Femap (V2406 before 0003, or V2412 before 0002)
Social engineering or access to file delivery channels (email, shared folders) to deliver the malicious file

Local file-based exploitation onlyUser interaction required (must open malicious file)Low exploit complexity (file format parsing)Affects engineering workstationsHigh impact if code execution achieved

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Simcenter Femap V2406< 2406.00032406.0003

Simcenter Femap V2412< 2412.00022412.0002

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDUntil patched, educate users not to open STP or BMP files from untrusted sources; disable preview functionality in file browsers for these formats if available

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Simcenter Femap V2406

HOTFIXUpdate Simcenter Femap V2406 to version 2406.0003 or later

Simcenter Femap V2412

HOTFIXUpdate Simcenter Femap V2412 to version 2412.0002 or later

Long-term hardening

0/1

HARDENINGRestrict file sharing access and monitor CAD file delivery channels to detect suspicious files

CVEs (2)

CVE-2025-40762 CVE-2025-40764

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/894300ef-5e54-452b-8d42-d28c54bec0ab