File Parsing Vulnerabilities in Simcenter Femap before V2022.1.1

Plan Patch7.8SSA-949188Feb 17, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Simcenter Femap versions before 2022.1.1 contain buffer overflow and out-of-bounds write vulnerabilities in the file parser for .NEU and .BDF mesh file formats (CWE-787, CWE-121). A user tricked into opening a malicious file could leak information or execute arbitrary code in the Femap process context. The vulnerability requires user interaction to open a malicious file but has no authentication requirement once the file is processed.

What this means

What could happen

An attacker could trick a user into opening a malicious .NEU or .BDF file, allowing information disclosure or remote code execution within the Femap application, potentially compromising engineering design data or the workstation.

Who's at risk

Engineering teams and CAD/CAE analysts using Simcenter Femap for finite element modeling, particularly in automotive, aerospace, and mechanical design roles. Affects anyone using Femap for mesh file processing on engineering workstations.

How it could be exploited

An attacker creates a malicious .NEU or .BDF mesh file and sends it to an engineer via email or file share. When the engineer opens the file in Simcenter Femap, the application's file parser has a buffer overflow or out-of-bounds write vulnerability that executes arbitrary code in the Femap process context.

Prerequisites

User must open a malicious .NEU or .BDF file in Femap
File must originate from an untrusted source or attacker-controlled channel

User interaction required (file open)Buffer overflow vulnerability (CWE-787, CWE-121)Potential remote code executionLow EPSS score (0.9%)Not actively exploited

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (1)

ProductAffected VersionsFix Status

Simcenter Femap< V2022.1.12022.1.1

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGImplement user awareness training to avoid opening mesh files (.NEU, .BDF) from untrusted sources

WORKAROUNDConsider disabling automatic file opening or enabling prompts for external file sources in Femap if available

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Simcenter Femap to version 2022.1.1 or later

CVEs (2)

CVE-2021-46162 CVE-2021-46699

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c344bab5-6f31-40d2-a49e-1de4e71347d4