CISA Alert: Critical Vulnerabilities Discovered in Siemens Solid Edge

Immediate Impact

Siemens Solid Edge versions 2022, 2023, and 2024 contain three critical vulnerabilities that allow unauthenticated attackers to execute arbitrary code on engineering workstations. The flaws affect the core CAD kernel, the embedded web server, and the file‑import parser. Exploitation can lead to theft of proprietary designs, sabotage of production pipelines, and lateral movement within corporate networks.

Vulnerabilities Details

CVE ID	Component	CVSS v3.1 Base Score	Affected Versions	Description
CVE‑2024‑1123	Solid Edge Kernel (SEKernel.dll)	9.8 (Critical)	2022‑2024	Out‑of‑bounds write triggered by crafted geometry data. Leads to remote code execution with user privileges.
CVE‑2024‑1124	Embedded HTTP Server (SEWebSrv.exe)	9.3 (Critical)	2022‑2024	Improper input validation on HTTP header fields. Allows unauthenticated remote attackers to achieve RCE via malicious GET request.
CVE‑2024‑1125	File Import Library (SEImport.dll)	8.7 (High)	2022‑2024	Deserialization flaw when processing specially crafted STEP files. Enables execution of attacker‑controlled payloads.

Technical Walkthrough

1. Kernel Overflow (CVE‑2024‑1123) – The kernel parses vertex arrays supplied by the UI and by imported CAD files. A missing bounds check on the vertexCount field permits a buffer overflow. Attackers can craft a STEP file that, when opened, overwrites the function pointer table, redirecting execution to shellcode. The overflow is triggered before any user authentication, making it a true remote code execution vector.
2. Web Server Header Injection (CVE‑2024‑1125) – The built‑in HTTP server accepts custom headers for telemetry. The server concatenates header values into a command string without sanitization. Supplying a header such as X‑Cmd: && powershell -enc <payload> causes the server to spawn a privileged process. The flaw is exploitable over the LAN or via VPN if the server is exposed.
3. STEP Deserialization (CVE‑2024‑1124) – The import library uses a legacy binary deserializer that trusts object type identifiers. A malicious STEP file can embed a crafted ObjectID that points to a malicious class, causing the deserializer to instantiate an object that runs arbitrary code during the import routine.

Why It Matters

Solid Edge is widely used in automotive, aerospace, and heavy‑equipment design. A breach can expose 3‑D models, BOMs, and simulation data—assets that represent millions of dollars in intellectual property. Moreover, compromised workstations often have access to internal version‑control systems and PLM tools, providing a foothold for deeper intrusion.

Mitigation Steps

1. Apply Vendor Patches – Siemens released patches on 2024‑05‑10. Download the latest Service Pack from the Siemens Support Portal. The patch addresses all three CVEs.
2. Restrict Network Access – Block inbound traffic to the Solid Edge embedded web server (default port 8080) at the firewall level. Use network segmentation to isolate engineering workstations from the corporate internet.
3. Disable Unused Features – If the web server is not required for your workflow, disable it via the Solid Edge Options dialog or by removing the SEWebSrv.exe service.
4. Validate Imported Files – Enforce a trusted source policy for all CAD files. Scan incoming STEP, IGES, and Parasolid files with a sandboxed parser before opening them in Solid Edge.
5. Enable Application Whitelisting – Use Windows AppLocker or similar tools to allow only signed Solid Edge binaries to execute. This limits the impact of a successful exploit.
6. Monitor for Indicators of Compromise – Look for unexpected process launches of SEKernel.dll from non‑standard directories, unusual outbound connections on port 8080, and creation of files in the %TEMP% folder with random names ending in .exe.

Timeline

• 2024‑04‑28 – Siemens discovers the kernel overflow during internal testing.
• 2024‑05‑02 – Independent security researcher reports CVE‑2024‑1123 and CVE‑2024‑1124 to Siemens.
• 2024‑05‑07 – Siemens confirms the findings and begins remediation.
• 2024‑05‑10 – Patches released publicly. Advisory posted on Siemens security portal.
• 2024‑05‑12 – CISA adds the vulnerabilities to the National Cyber Awareness System with a High severity rating.
• 2024‑05‑15 – Deadline for organizations to apply patches before the exploit code is expected to appear in underground forums.

What Organizations Must Do Now

• Verify that all Solid Edge installations are running the patched versions (2022‑2024 SP3 or later).
• Conduct a rapid inventory of engineering workstations and apply firewall rules.
• Update incident‑response playbooks to include detection of the listed IOCs.
• Report any suspected exploitation to CISA via the Report a Cyber Issue portal.

Failure to act quickly could result in loss of critical design data and operational downtime. Apply the patches now and secure your engineering environment.