Siemens Simcenter Femap: Critical Local Code-Exec Flaws (CVE-2025-40762/40764) Fixed

Siemens’ Simcenter Femap has received a fresh security spotlight: two file‑parsing vulnerabilities that allow local code execution when a user opens specially crafted STP or BMP files, and Siemens has published fixed versions while U.S. authorities have republished the advisory for awareness. The vulnerabilities—tracked as CVE‑2025‑40762 (out‑of‑bounds write while parsing STP) and CVE‑2025‑40764 (out‑of‑bounds read while parsing BMP)—carry a CVSS v3.1 base score of 7.8 and Siemens recommends immediate upgrades to the versions released on August 12, 2025. Siemens ProductCERT, CISA’s advisory republications, and public CVE/NVD records corroborate the technical details and the vendor remediation guidance.

Background: why Simcenter Femap matters to Windows and manufacturing environments​

Simcenter Femap is a Windows‑accessible engineering and finite element model pre/post‑processing tool used widely by design and manufacturing teams. It routinely handles large, complex model files in a variety of neutral and graphics formats including STP (STEP) and BMP images used for textures, annotations, or embedded graphics. Because Femap runs on workstations that bridge design (IT) and production (OT) workflows, vulnerabilities in file parsing can serve as a local pivot point from an engineering workstation into larger corporate networks or into OT management paths when build and deployment pipelines are intertwined.
Siemens’ ProductCERT published advisory SSA‑674084 (File Parsing Vulnerabilities in Simcenter Femap Before V2506) on August 12, 2025 documenting both CVEs, the affected versions, and vendor remediation steps. The advisory explicitly lists the affected releases and recommended update builds.
CISA has republished Siemens’ advisory content in its ICS advisory collection to ensure U.S. operators and defenders see the notification; CISA also reiterates that Siemens ProductCERT is the canonical source for vendor updates. The security posture and operational guidance around these advisories reflect the applied industry practice: vendor advisory → national republish → rapid local patching and mitigations.

---

Executive summary of the technical findings​

• Affected products:
  • Simcenter Femap V2406: all versions prior to V2406.0003 are affected.
  • Simcenter Femap V2412: all versions prior to V2412.0002 are affected.
• Vulnerabilities:
  • CVE‑2025‑40762 — Out‑of‑bounds write (CWE‑787) when parsing specially crafted STP files; can result in code execution in the context of the Femap process. CVSS v3.1 = 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
  • CVE‑2025‑40764 — Out‑of‑bounds read (CWE‑125) when parsing specially crafted BMP files; can similarly result in code execution. CVSS v3.1 = 7.8.
• Exploitability: both issues require local file access and user interaction (opening a malicious file), not trivial remote network exploitation in standard deployments. Because Femap is a desktop application that processes user‑supplied files, social engineering or malicious file delivery vectors (email attachments, shared network folders, removable media) are the likely pathways for real‑world exploitation. CISA and Siemens both describe the vector as local/file‑open oriented. (cisa.gov, cert-portal.siemens.com)

---

What the vendor and authorities say (verification and cross‑checks)​

Siemens ProductCERT’s advisory SSA‑674084 is the primary vendor notification and enumerates the two CVEs, their CWEs, the fixed versions, and the simple mitigations “do not open untrusted STP/BMP files” alongside the upgrade recommendations. The advisory also credits the researchers: Trend Micro’s Zero Day Initiative for CVE‑2025‑40762 and Michael Heinzl for CVE‑2025‑40764.
CISA’s advisory and its prior Femap advisories (a series published since 2021) republish vendor findings and emphasize that continued tracking for Siemens product vulnerabilities is routed to Siemens ProductCERT; CISA’s republished material aligns with Siemens’ technical descriptions and scoring. This dual confirmation—vendor advisory + national cybersecurity authority—provides two trusted and independent sources for the key claims (vulnerability class, affected versions, remediation steps).
Public CVE/NVD records have entries tied to the modeling of these weaknesses and list the same affected releases and CVE metadata; for example, the NVD/CVE entry for CVE‑2025‑40764 has been enriched with the Siemens advisory as a reference and reproduces the high‑level description. That constitutes a third independent confirmation of the technical facts.
Note: where public trackers are still awaiting full enrichment (some CVE/NVD pages show “awaiting analysis”), the authoritative Siemens ProductCERT advisory remains the primary source for exact remediation build numbers and the CVSS vectors Siemens supplied. When vendor and national advisories align, the risk claims and fixes are verifiable. (cert-portal.siemens.com, nvd.nist.gov)

---

Risk evaluation: who should worry and how urgently​

These vulnerabilities score as high on impact (CVSS v3.1 = 7.8), but they are not remotely exploitable by default—exploitation requires a user to open a crafted file. That reduces the immediate systemic urgency compared to a remotely exploitable network bug but elevates the operational concern in environments where:

• Engineering workstations process files from external collaborators, vendors, or supply‑chain exchanges.
• Shared build or packaging servers run tools that may open or process model files.
• Users have elevated privileges on their workstations (e.g., local admin) or the Femap process runs with higher privileges.
• There is a mix of IT and OT environments where a compromise on a design/engineering host could be used to pivot into production systems.

In short: the attack vector is local but realistic—phishing, malicious file attachments, or compromised shared repositories can deliver exploit files. For manufacturers and engineering teams, the blast radius of a successful exploit may include IP theft, tampering with models, insertion of malicious code into build artifacts, and lateral movement into enterprise systems. CISA and Siemens both highlight the critical‑manufacturing sector and global deployment footprint, underscoring the enterprise relevance. (cert-portal.siemens.com, cisa.gov)

---

Vendor remediation and immediate mitigations​

Siemens’ published fixes and guidance are straightforward:

• Update affected installations:
  • Upgrade Simcenter Femap V2406 to V2406.0003 or later.
  • Upgrade Simcenter Femap V2412 to V2412.0002 or later.
• Short‑term workarounds (if patching is not immediately feasible):
  • Do not open untrusted STP files (mitigates CVE‑2025‑40762).
  • Do not open untrusted BMP files (mitigates CVE‑2025‑40764).
• Siemens also reiterates generalized industrial security best practices: network segmentation, restricted network access to control/engineering systems, and following Siemens’ operational guidelines for industrial security.

CISA echoes these actions and adds standard ICS/OT best practices: isolate control and engineering networks from business networks, avoid exposing control systems to the internet, and use secure remote access with hardened VPN/jump hosts. CISA emphasizes that vendors’ ProductCERT pages are the authoritative source for follow‑ups.

---

Practical remediation checklist for Windows admins and IT/OT teams​

1. Inventory and prioritize
   1. Identify all hosts running Simcenter Femap and record installed versions and build numbers.
   2. Tag shared servers, automated build machines, and test workstations that might process STP/BMP files.
2. Patch management (priority: high)
   1. Test the Siemens update in a controlled environment.
   2. Roll out V2406.0003 / V2412.0002 or later according to your change‑control calendar.
3. Short‑term mitigations (if patching is delayed)
   • Block or filter STP and BMP attachments at email gateway and web proxies.
   • Restrict file‑sharing repositories to trusted partners and enable scanning for suspicious files.
   • Implement application allow‑listing for engineering workstations. Prevent unauthorized execution of new binaries and DLLs.
   • Enforce least privilege for user accounts (do not run engineering apps as local admin).
4. Detection and monitoring
   • Add telemetry to catch suspicious Femap process activity: unexplained child processes, abnormal memory access patterns, or process crashes when opening model files.
   • Monitor for mass‑delivered STP/BMP files from untrusted external addresses or anomalous uploads to shared folders.
5. Post‑compromise readiness
   • Ensure backups of engineering data are segregated and that recovery plans are tested.
   • Prepare incident response playbook for workstation compromise, including credential resets and lateral‑movement containment.
6. Documentation and user education
   • Educate engineering users on the specific guidance: do not open STP or BMP files from untrusted sources.
   • Include the vendor advisory reference in your internal patch bulletin. (cert-portal.siemens.com, cisa.gov)

---

Detection guidance: what to look for in telemetry​

• Sudden Femap process crashes or repeated crashes triggered by file opens—these events often precede exploitation attempts that rely on memory‑corruption. Correlate these with incoming STP/BMP attachments.
• New or unusual child processes spawned by Femap (e.g., shell commands, file‑transfer utilities) initiated from the Femap process context.
• Unusual network connections from engineering workstations to unknown endpoints immediately following a file open.
• Indicators of suspicious file delivery (email attachments with STP/BMP, unexpected ZIPs with those extensions, or scripts that convert/pipe those files into the application).
• Use EDR (Endpoint Detection and Response) sensors to alert on process injection, memory tampering, and abnormal module loads in the Femap process.

These detection recommendations are operational best practices; because exploits rely on local file interactions, the earliest detection opportunities are on the host where Femap runs.

---

Why a local, file‑parsing bug is still dangerous in modern environments​

It is tempting to de‑prioritize local file vulnerabilities because they are not remotely exploitable, but in reality:

• Phishing and supply‑chain delivery of files remain extremely common and effective.
• Shared build systems, automated model converters and CI pipelines may open or process files automatically, expanding the attack surface beyond a single user click.
• Engineering workstations often have elevated permissions or access to sensitive network resources (license servers, file shares, build servers), so a single compromised host can facilitate broad lateral movement.
• Attackers are adept at delivering “innocuous” file formats that bypass naive filters; image formats such as BMP can be carriers for exploit payloads when parsed by vulnerable code.

For those reasons, the combination of vendor patches and robust organizational controls is necessary to reduce both probability and impact.

---

Critical analysis: strengths, gaps, and residual risks​

Strengths

• Siemens published definitive fixed versions quickly and documented the CVE mapping and CWE classes; the vendor advisory is clear on remediation builds and mitigation steps.
• CISA’s republication increases visibility for US‑based critical‑manufacturing operators and reiterates vendor guidance. The triad of vendor → national body → NVD/CVE entries creates redundancy that defenders can use to validate fixes. (cisa.gov, nvd.nist.gov)

Gaps and risks

• Attack vector remains user/local file oriented; despite being non‑remote, the vector fits well into social‑engineering playbooks.
• Some enterprise environments use automated file processing—if these systems accept untrusted files and feed them to Femap or conversion scripts, the risk becomes far more systemic.
• Organizations that lack tight asset inventories, segmentation, and application allow‑listing may fail to prioritize patching, leaving windows of exposure.
• CISA’s policy of deferring ongoing Siemens product advisory updates to Siemens ProductCERT (a practice in place since January 10, 2023) places the operational burden on organizations to monitor vendor channels proactively. Operators must adjust processes to subscribe to vendor advisories rather than relying entirely on republished CISA follow‑ups. (cisa.gov, cert-portal.siemens.com)

Unverifiable or time‑sensitive claims

• At publication there are no confirmed reports of in‑the‑wild exploitation specifically targeting these CVEs. That claim is time‑sensitive and dependent on vendor/authority reports; defenders should treat it cautiously and re‑check threat feeds during incident response windows. CISA and Siemens state no known public exploitation at the time of their advisories. (cisa.gov, cert-portal.siemens.com)

---

Operational recommendations for WindowsForum readers and IT teams​

• Treat this as a high‑priority patch for engineering workstations: schedule testing and rollouts for the Siemens updates in the next maintenance window.
• Apply compensating controls immediately: block untrusted STP/BMP attachments, enforce least privilege, and isolate engineering workstations into a restricted segment.
• Harden the supply chain: require vendors to deliver models via secure transfer mechanisms, scan all model files with multiple engines, and avoid automated unvetted file ingestion into build systems.
• Update detection rules in your EDR and SIEM platforms to flag process crashes, memory exceptions, and unexpected child processes of Femap.
• Subscribe to Siemens ProductCERT advisories and maintain an inventory of Siemens products and version levels to ensure you’re notified of follow‑ups and future advisories. Siemens ProductCERT is the authoritative source for updated fixes and CSRF/CSAF feeds.

---

Final assessment​

The Simcenter Femap issues detailed in SSA‑674084 are a textbook example of how local file parsing vulnerabilities remain a credible and practical risk for organizations that mix engineering, design, and production IT. While the immediate exploitation vector requires user interaction, the potential impact—local code execution in the context of a privileged or trust‑bearing process—makes timely remediation essential.
The vendor has provided clear remediation builds and conservative mitigations; national authorities have republished the advisory to increase visibility; public CVE/NVD records align with the vendor details. Taken together, these independent confirmations make the technical claims verifiable and the recommended actions credible. Organizations should patch promptly, harden the host environments, and treat file delivery and shared processing pipelines as part of the risk surface to defend.
For the latest fixes and to confirm build numbers for your particular deployment, consult Siemens ProductCERT’s advisory SSA‑674084 and align your patching plan accordingly. (cert-portal.siemens.com, cisa.gov, nvd.nist.gov)

---

Source: CISA Siemens Simcenter Femap | CISA