Multiple Vulnerabilities in Solid Edge before SE2021MP7

Plan Patch7.8SSA-818688Aug 10, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Siemens Solid Edge SE2021 before version SE2021MP7 contains three vulnerabilities: an XML external entity (XXE) injection and two file parsing flaws in OBJ file handling. If a user opens a malicious OBJ or XML file, the application may crash or execute arbitrary code on the workstation. The vulnerabilities are triggered only when the affected application processes a crafted file.

What this means

What could happen

An attacker could trick an engineer into opening a malicious CAD file, causing Solid Edge to crash, steal design data, or execute arbitrary commands on the engineering workstation with the user's privileges.

Who's at risk

Design and engineering departments using Siemens Solid Edge SE2021 for CAD work are affected. This includes any organization where engineers collaborate on product designs and may receive files from external sources or untrusted internal shares.

How it could be exploited

An attacker crafts a malicious OBJ or XML file and sends it to an engineer (via email, USB, or file share). When the engineer opens the file in Solid Edge, the XXE injection or file parsing flaw is triggered, allowing the attacker to extract files from the workstation or run code.

Prerequisites

Engineer must open a malicious CAD file (OBJ or XML) in Solid Edge
User interaction required (no automatic exploitation)
Attacker must be able to deliver the malicious file to the target user

user interaction requiredaffects engineering workstationscould lead to design data theftarbitrary code execution possible

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

Solid Edge SE2021All Versions < SE2021MP7SE2021MP7

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable or restrict the ability to open OBJ files in Solid Edge if they are not needed for your design workflow

HARDENINGTrain engineers to avoid opening CAD files from untrusted sources and verify file origin before opening

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Solid Edge SE2021 to version SE2021MP7 or later

Long-term hardening

0/1

HARDENINGImplement file input validation or content filtering on file shares and email systems to detect suspicious CAD files

CVEs (3)

CVE-2021-37178 CVE-2021-37179 CVE-2021-37180

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/34d71518-4b52-4fd3-98de-5e91cfff62d9