Multiple File Parsing Vulnerabilities in Simcenter Femap and Nastran Before V2512

Plan Patch7.8SSA-965753Feb 10, 2026

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Simcenter Femap and Nastran contain multiple file parsing vulnerabilities in NDB and XDB format handlers (CWE-787, CWE-125, CWE-122). When a user opens a malicious NDB or XDB file, the application may crash due to buffer overflow or out-of-bounds access, or potentially execute arbitrary code with the user's privileges.

What this means

What could happen

An attacker could craft a malicious CAE model file that crashes the engineering workstation running Femap or Nastran, disrupting simulation and analysis workflows. In the worst case, arbitrary code execution could allow the attacker to compromise the workstation and access sensitive CAE data or network resources.

Who's at risk

Engineering teams and design offices using Siemens Simcenter Femap or Nastran for finite element analysis and simulation should care about this vulnerability. It affects CAE (computer-aided engineering) workstations used for structural analysis, thermal analysis, and simulation in manufacturing, aerospace, automotive, and infrastructure sectors. Anyone who receives CAE model files from external sources or untrusted origins is at risk.

How it could be exploited

An attacker creates a malicious NDB or XDB file (Nastran/Femap model formats) and tricks an engineer into opening it via email or file sharing. When the file is opened in Femap or Nastran, the parser attempts to read malformed file headers or record structures, triggering a buffer overflow or out-of-bounds memory access. This allows the attacker to either crash the application or execute arbitrary code with the user's privileges on the engineering workstation.

Prerequisites

User interaction required: engineer must open the malicious file
File must be in NDB or XDB format (Nastran/Femap native formats)
Vulnerable version of Femap or Nastran must be installed

User interaction requiredNo authentication requiredLow complexityDefault file formats used in CAE workflows

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Simcenter Femap< 25122512

Simcenter Nastran< 25122512

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict opening of NDB and XDB files from untrusted sources until patches are applied

HARDENINGImplement email gateway rules to block or quarantine NDB and XDB file attachments from external sources

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Simcenter Femap

HOTFIXUpdate Simcenter Femap to version 2512 or later

Simcenter Nastran

HOTFIXUpdate Simcenter Nastran to version 2512 or later

CVEs (6)

CVE-2026-23715 CVE-2026-23716 CVE-2026-23717 CVE-2026-23718 CVE-2026-23719 CVE-2026-23720

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8b6eb36e-0d2b-4dc8-8930-37746d7433f8