OTPulse
FeedAboutContact

Open Design Alliance Drawings SDK Vulnerability in Solid Edge

Plan Patch7.8SSA-975766Jun 13, 2023
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Solid Edge SE2023 is affected by a file parsing vulnerability in the Open Design Alliance Drawings SDK. If a user opens a malicious DWG (drawing) file in the affected application, an attacker could crash the application or execute arbitrary code. The vulnerability exists in all versions of SE2023 prior to V223.0 Update 5.

What this means
What could happen
An attacker could crash Solid Edge or run arbitrary code on an engineering workstation if a user opens a malicious DWG (drawing) file. This could affect design workflows and, if engineering workstations have access to control system networks, could serve as a pivot point to reach PLCs or SCADA systems.
Who's at risk
Design and engineering teams using Solid Edge SE2023 for CAD work should prioritize this update. This affects any organization where engineers or designers create or edit mechanical designs, particularly those in manufacturing, water/wastewater treatment facilities with design departments, or utilities with in-house engineering teams.
How it could be exploited
An attacker crafts a malicious DWG file and distributes it (e.g., via email or file sharing). When an engineer or designer opens the file in Solid Edge, the vulnerable Drawings SDK parser processes the malformed file, triggering a memory safety bug that crashes the application or allows code execution in the context of the user running Solid Edge.
Prerequisites
  • User interaction required: engineer must open the malicious DWG file
  • Solid Edge must be installed on the workstation
  • Vulnerable version: Solid Edge SE2023 versions prior to V223.0 Update 5
User interaction required (user must open file)Potential for arbitrary code executionCould enable lateral movement from engineering workstations to control networks
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Solid Edge SE2023All versions < V223.0 Update 5223.0 Update 5
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Solid Edge SE2023 to version 223.0 Update 5 or later
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c656badb-ce2f-4f2b-96aa-f991e86fb422
Open Design Alliance Drawings SDK Vulnerability in Solid Edge | CVSS 7.8 - OTPulse