CISA has added two high-severity flaws in Siemens simulation software to its Known Exploited Vulnerabilities Catalog, warning of active exploitation risks.
Two critical remote code execution vulnerabilities have been discovered in Siemens Simcenter Femap and Siemens Simcenter 3D Nastran software, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add them to its Known Exploited Vulnerabilities Catalog.
Affected Products and Severity
The vulnerabilities impact:
- Siemens Simcenter Femap versions prior to 2306
- Siemens Simcenter 3D Nastran versions prior to 2306
Both flaws carry a CVSS v3.1 base score of 8.8 (High severity), indicating they can be exploited remotely without authentication to execute arbitrary code on vulnerable systems.
Technical Details
While Siemens has not published detailed technical advisories at the time of writing, the inclusion in CISA's catalog suggests these vulnerabilities are being actively exploited in the wild. The catalog specifically lists vulnerabilities that pose significant risks to federal agencies and critical infrastructure.
Immediate Mitigation Required
Organizations using affected versions must:
- Update to Siemens Simcenter Femap 2306 or later
- Update to Siemens Simcenter 3D Nastran 2306 or later
- Apply updates immediately if running vulnerable versions
Timeline and Context
The vulnerabilities were added to CISA's catalog on April 1, 2025, with a deadline of April 15, 2025 for federal agencies to patch or remove affected systems. This two-week window reflects the critical nature of the flaws and active exploitation risk.
Broader Implications
Siemens simulation software is widely used in engineering, manufacturing, and industrial design across multiple sectors. The discovery of remote code execution vulnerabilities in these tools highlights the growing attack surface in industrial software and the need for rigorous security practices in engineering applications.
Organizations should also review their incident response plans and monitor for any unusual activity that might indicate exploitation attempts, particularly if immediate patching is not feasible due to operational constraints.
Additional Resources
Security teams should prioritize these updates given the combination of high severity, remote exploitation capability, and active threat actor interest indicated by CISA's catalog inclusion.
Comments
Please log in or register to join the discussion