Siemens has released urgent patches for two high-severity vulnerabilities in its Simcenter Femap engineering simulation software that could allow local attackers to execute arbitrary code by convincing a user to open a specially crafted STP or BMP file. The flaws, tracked as CVE-2025-40762 and CVE-2025-40764, carry a CVSS v3.1 base score of 7.8 and affect multiple versions of the Windows-based application widely used in manufacturing and design environments. The fixes, available since August 12, 2025, address out-of-bounds write and read issues in the software’s file parsing routines, and both Siemens ProductCERT and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued coordinated advisories urging immediate upgrades.

Why Simcenter Femap Matters to Windows and Manufacturing Environments

Simcenter Femap is a Windows-accessible finite element modeling pre- and post-processing tool heavily used by design and manufacturing teams. It routinely handles large, complex model files in neutral and graphics formats, including STEP (STP) for 3D data and BMP for textures or embedded images. Because Femap bridges design (IT) and production (OT) workflows, any vulnerability in its file parsing becomes a potential pivot point from an engineering workstation into broader corporate networks or even production systems when build and deployment pipelines are intertwined.

The software’s reliance on user-supplied files makes it an attractive target for social engineering attacks. Engineering files often traverse email attachments, shared network folders, and removable media, providing multiple delivery paths for malicious content. A successful compromise can lead to intellectual property theft, model tampering, insertion of malicious code into downstream artifacts, or lateral movement into sensitive OT environments. For organizations in critical manufacturing sectors—where Femap is particularly prevalent—the blast radius of such an exploit can be severe.

Technical Details of the Vulnerabilities

Siemens’ ProductCERT advisory SSA-674084, published on August 12, 2025, documents two distinct memory corruption flaws:

  • CVE-2025-40762 (CWE-787 – Out-of-bounds Write): Occurs when parsing specially crafted STP files. An attacker can leverage the out-of-bounds write to corrupt memory and execute arbitrary code in the context of the Femap process. The vulnerability requires a local user to open a malicious file, but no privileges beyond basic user rights are needed.
  • CVE-2025-40764 (CWE-125 – Out-of-bounds Read): Triggered by a malformed BMP file. The out-of-bounds read can also lead to code execution under the same user-interaction conditions.

Both vulnerabilities share a CVSS v3.1 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, resulting in a base score of 7.8. The impact is high across confidentiality, integrity, and availability. Exploitation requires local file access and user interaction (opening the file), ruling out direct remote network attacks in standard deployments. However, phishing campaigns, malicious attachments, or compromised shared repositories can easily deliver exploit files to unsuspecting engineers.

Affected Products and Fixed Versions

  • Simcenter Femap V2406: all versions prior to V2406.0003 are vulnerable. Upgrade to V2406.0003 or later.
  • Simcenter Femap V2412: all versions prior to V2412.0002 are vulnerable. Upgrade to V2412.0002 or later.

Siemens credits Trend Micro’s Zero Day Initiative for reporting CVE-2025-40762 and independent researcher Michael Heinzl for CVE-2025-40764.

Vendor and Authority Cross-Validation

Siemens ProductCERT’s advisory SSA-674084 is the primary notification and provides explicit build numbers, CWE classifications, and mitigation steps. CISA has republished the advisory content in its ICS advisory collection (ICSA-25-079-03) to ensure U.S. operators and defenders are aware. CISA also reiterates that Siemens ProductCERT is the canonical source for ongoing updates, a policy in effect since January 10, 2023.

Public CVE/NVD records align with the vendor details—e.g., NVD’s entry for CVE-2025-40764 references the Siemens advisory and reproduces the high-level description. This triad of vendor, national authority, and public database provides three independent confirmations of the technical facts, making the claims verifiable and the recommended actions credible.

Risk Evaluation: Who Should Worry and How Urgently

Although the CVSS score of 7.8 indicates high severity, the attack vector is local rather than remote by default. This reduces the immediate systemic urgency compared to a network-exploitable flaw but elevates the risk in environments where:

  • Engineering workstations process files from external collaborators, vendors, or supply-chain exchanges.
  • Shared build or packaging servers run tools that automatically handle model files.
  • Users possess elevated workstation privileges (e.g., local admin) or the Femap process runs with higher rights.
  • IT and OT networks are not properly segmented, allowing compromise to spread.

The realistic threat model involves phishing, malicious file attachments, or compromised shared repositories. In manufacturing and engineering firms, a single compromised workstation can grant attackers access to sensitive design IP, license servers, and back-end systems, making patch prioritization essential.

Vendor Remediation and Immediate Mitigations

Siemens’ guidance is clear:

  1. Update immediately: Install the fixed versions (V2406.0003 or V2412.0002) for all affected installations.
  2. Short-term workarounds:
    - Do not open untrusted STP files (mitigates CVE-2025-40762).
    - Do not open untrusted BMP files (mitigates CVE-2025-40764).
  3. General industrial security practices: Network segmentation, least privilege, and restricting network access to engineering systems.

CISA echoes these steps and adds standard OT/ICS best practices: isolate control and engineering networks from business networks, minimize internet exposure, and use hardened VPNs or jump hosts for remote access.

Practical Remediation Checklist for Windows Admins and IT/OT Teams

  • Inventory and Prioritize: Identify all hosts running Simcenter Femap, record installed versions, and tag shared servers or automated build machines that may process STP/BMP files.
  • Patch Management: Test the Siemens update in a controlled environment and roll out the fixed versions during the next planned maintenance window.
  • Short-Term Mitigations (if patching is delayed):
  • Block STP and BMP attachments at email gateways and web proxies.
  • Restrict file-sharing repositories to trusted partners and enable scanning.
  • Implement application allow-listing on engineering workstations.
  • Enforce least privilege; do not run Femap with local admin rights.
  • Detection and Monitoring: Add endpoint telemetry to catch suspicious Femap process activity—unexplained child processes, abnormal memory access, or crashes during file opens. Monitor for mass deliveries of STP/BMP files or anomalous uploads.
  • Post-Compromise Readiness: Segregate engineering data backups and test recovery plans. Prepare incident response playbooks for workstation compromise, including credential resets and lateral-movement containment.
  • User Education: Inform engineering users not to open STP or BMP files from untrusted sources, and include the vendor advisory reference in internal patch bulletins.

Detection Guidance: What to Look For in Telemetry

Defenders should watch for these indicators of potential exploitation:

  • Sudden or repeated Femap process crashes after opening files—especially STP or BMP attachments.
  • New child processes spawned by Femap, such as shell commands or file-transfer utilities.
  • Unexpected network connections from engineering stations to unknown endpoints following a file open.
  • Suspicious file delivery patterns: email attachments with .stp/.bmp extensions, scripts that convert or pipe such files into the application.
  • Use EDR sensors to alert on process injection, memory tampering, and abnormal module loads in the Femap process.

Why a Local File-Parsing Bug Is Still Dangerous

It’s easy to underestimate local file vulnerabilities because they lack remote attack vectors, but in reality:

  • Phishing and supply-chain file deliveries remain among the most common and effective attack methods.
  • Automated pipelines, such as CI/CD systems or model converters, may open files without user interaction, expanding the exposure surface.
  • Engineering workstations often hold elevated privileges and direct access to sensitive network shares, license servers, and build infrastructure.
  • File formats like BMP are often considered innocuous and may bypass naive content filters, turning them into ideal carriers for exploit payloads.

Combining vendor patches with robust organizational controls is therefore critical to reduce both the likelihood and the impact of an attack.

Critical Analysis: Strengths, Gaps, and Residual Risks

Strengths

  • Siemens published definitive fixed versions quickly, with clear CVE-to-CWE mapping and vendor advisory details.
  • CISA’s republication amplifies awareness among critical-manufacturing operators and reiterates vendor guidance.
  • The triple-redundancy of vendor–national authority–NVD confirmation makes the technical information reliable.

Gaps and Risks

  • The attack remains user/local file oriented, perfectly fitting social-engineering playbooks.
  • Automated file processing in some enterprises may inadvertently widen the attack surface.
  • Organizations lacking tight asset inventories, segmentation, or application allow-listing may delay patching.
  • CISA’s policy (since January 2023) to defer follow-ups to Siemens ProductCERT places the burden on organizations to proactively monitor vendor advisories.

Time-Sensitive Claim

As of the advisory publication dates, neither Siemens nor CISA had received reports of active exploitation. This status can change rapidly; defenders should monitor threat feeds and apply patches without assuming safety.

Operational Recommendations for WindowsForum Readers and IT Teams

  1. Treat these patches as high-priority for engineering workstations and schedule testing/rollout immediately.
  2. Apply compensating controls now: block untrusted STP/BMP files, enforce least privilege, and isolate engineering segments.
  3. Harden the supply chain: require secure model transfer, scan all incoming files with multiple engines, and avoid automatic ingestion into build systems.
  4. Update EDR and SIEM detection rules for Femap-specific anomalies.
  5. Subscribe to Siemens ProductCERT advisories (https://cert-portal.siemens.com/productcert/) and maintain an accurate inventory of all Siemens products and versions.

Final Assessment

The Simcenter Femap issues detailed in SSA-674084 exemplify how local file parsing vulnerabilities continue to pose credible risk to organizations that blend design, engineering, and production IT. While exploitation requires user interaction, the potential for local code execution in a privileged or trusted process makes timely remediation essential. Siemens has provided clear upgrade paths and mitigations; CISA’s republication amplifies the urgency. Taken together, these independent confirmations leave no room for doubt—organizations using Femap must patch promptly, harden host environments, and treat file delivery pipelines as part of the attack surface.

For the latest fixes and to verify build numbers for your deployment, consult Siemens ProductCERT’s advisory SSA-674084 (https://cert-portal.siemens.com/productcert/html/ssa-674084.html) and the associated CISA ICS advisory (https://www.cisa.gov/news-events/ics-advisories/icsa-25-079-03).