Multiple Vulnerabilities in Solid Edge before SE2021MP8

Plan Patch7.8SSA-728618Sep 28, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Solid Edge versions before SE2021MP8 contain multiple file parsing vulnerabilities (CWE-416, CWE-125, CWE-824) in IFC, JT, and OBJ file handlers. Opening a malicious file in one of these formats could cause the application to crash or allow arbitrary code execution on the host system.

What this means

What could happen

An attacker could trick a designer or engineer into opening a malicious CAD file, causing Solid Edge to crash or execute arbitrary commands on the engineering workstation with the user's privileges.

Who's at risk

Design engineers and CAD operators at any organization using Solid Edge SE2021 should care about this vulnerability. It affects workstations used for product design, reverse engineering, or 3D model review across manufacturing, construction, infrastructure, and utility sectors.

How it could be exploited

An attacker sends a crafted IFC, JT, or OBJ file to a Solid Edge user (via email, file share, or download link). When the user opens the file in Solid Edge, the file parser processes the malicious content, triggering a use-after-free or buffer over-read vulnerability that allows code execution or application crash.

Prerequisites

User must open a malicious file attachment or downloaded file in Solid Edge
File must be in IFC, JT, or OBJ format

No authentication requiredLow complexity attackAffects engineering workstationsUser interaction required

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

Solid Edge SE2021< SE2021MP8SE2021MP8

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable or remove support for IFC, JT, and OBJ file formats if not required for your design workflow

HARDENINGTrain users not to open CAD files from untrusted sources or unexpected emails

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Solid Edge SE2021 to MP8 or later version

Long-term hardening

0/1

HARDENINGImplement file source validation and restrict where design files can be opened from (e.g., only from internal repositories)

CVEs (10)

CVE-2021-37202 CVE-2021-37203 CVE-2021-41533 CVE-2021-41534 CVE-2021-41535 CVE-2021-41536 CVE-2021-41537 CVE-2021-41538 CVE-2021-41539 CVE-2021-41540

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fa13c530-0280-492c-af21-adc1c9cbbd87