Full Report
Siemens Simcenter Femap is affected by memory corruption vulnerability that could be triggered when the application reads files in .NEU format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to leak information or potentially perform remote code execution in the context of the current process. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Memory Corruption in Siemens Simcenter Femap Parsing .NEU Files
## CVE Details
- **CVE ID:** CVE-2025-25175
- **CVSS Score:**
- CVSS v3.1: 7.8 (High)
- CVSS v4.0: 7.3 (High)
- **CWE:** CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
## Affected Systems
- **Products:** Siemens Simcenter Femap (Advanced simulation software for finite element models).
- **Versions:**
- Simcenter Femap V2401: All versions prior to V2401.0003
- Simcenter Femap V2406: All versions prior to V2406.0002
- **Configurations:** Systems where the application is utilized to open or import Neutral (.NEU) format files.
## Vulnerability Description
The vulnerability is a memory corruption flaw existing in the parsing engine of Simcenter Femap. When the application processes specifically crafted `.NEU` (Neutral) files, it fails to properly restrict operations within the bounds of a memory buffer. Because the application does not validate the file contents correctly, a malicious file can trigger a buffer overflow or similar memory corruption event.
## Exploitation
- **Status:** Not exploited (Reported via Trend Micro Zero Day Initiative - ZDI-CAN-25443). No public PoC currently available.
- **Complexity:** Low (v3.1) / High (v4.0 base vector reflects the requirement for user interaction).
- **Attack Vector:** Local. The attacker requires a user to manually open the malicious file (User Interaction Required).
## Impact
- **Confidentiality:** High (Potential for information leakage from process memory).
- **Integrity:** High (Potential for Remote Code Execution (RCE) within the context of the current process).
- **Availability:** High (Potential for application crash or system instability).
## Remediation
### Patches
Siemens recommends updating to the following versions:
- **Simcenter Femap V2401:** Update to **V2401.0003** or later.
- **Simcenter Femap V2406:** Update to **V2406.0002** or later.
### Workarounds
- **File Validation:** Do not open or import `.NEU` files received from untrusted or unknown sources.
- **General Hardening:** Protect network access to systems and ensure they are operated within a protected IT environment according to Siemens' operational guidelines.
## Detection
- **Indicators of Compromise:** Unusual application crashes when handling `.NEU` files; unexpected process behavior originating from `femap.exe`.
- **Detection Methods:** Security teams can monitor for the transfer of suspicious `.NEU` files via email or web gateways. Use endpoint detection and response (EDR) tools to monitor for anomalous child processes or memory injections associated with Simcenter Femap.
## References
- Siemens Security Advisory SSA-920092: hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-920092.pdf
- Siemens Support Portal: hxxps://support.sw.siemens[.]com/
- Siemens Industrial Security Guidelines: hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security