Full Report
Simcenter Femap is affected by heap based buffer overflow vulnerability in Datakit library that could be triggered when the application reads files in IPT format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process. Siemens has released a new version for Simcenter Femap and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Heap-Based Buffer Overflow in Simcenter Femap Datakit Library
## CVE Details
- **CVE ID:** CVE-2025-12659
- **CVSS Score:** 7.8 (High) - CVSS v3.1 / 7.3 (High) - CVSS v4.0
- **CWE:** CWE-122: Heap-based Buffer Overflow
## Affected Systems
- **Products:** Simcenter Femap
- **Versions:** All versions prior to V2512.0003
- **Configurations:** Systems utilizing the Datakit library for file conversion/parsing, specifically when processing IPT (Autodesk Inventor) format files.
## Vulnerability Description
The vulnerability exists within the Datakit library integrated into Simcenter Femap. A memory corruption flaw occurs when the application parses specially crafted **IPT** files. Due to improper bounds checking during the reading of these files, a heap-based buffer overflow can be triggered.
## Exploitation
- **Status:** Coordinated disclosure (ZDI-CAN-27349, ZDI-CAN-27389); No current reports of exploitation in the wild.
- **Complexity:** Low (CVSS v3.1) / High (CVSS v4.0 - reflects the need for social engineering).
- **Attack Vector:** Local. The attack requires user interaction; an attacker must trick a legitimate user into opening a malicious IPT file with the affected Simcenter Femap software.
## Impact
- **Confidentiality:** High (Full compromise of the process context)
- **Integrity:** High (Unauthorized modification of data/execution of code)
- **Availability:** High (Application crash or system instability)
## Remediation
### Patches
- **Update to V2512.0003 or later:** Siemens recommends upgrading to the latest version to resolve the underlying library vulnerability.
- Patch Link: hxxps://support.sw.siemens.com/product/275652363/
### Workarounds
- **General Security Best Practices:**
- Do not open IPT files from untrusted or unknown sources.
- Restrict administrative privileges to prevent an attacker from gaining full system control if the process is compromised.
- Implement Siemens' operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise:** Unexpected application crashes when opening IPT files; unusual process behavior under the `femap.exe` (or equivalent) process tree.
- **Detection methods and tools:**
- Monitor file integrity for IPT assets.
- Use Endpoint Detection and Response (EDR) tools to identify heap-spraying techniques or anomalous remote code execution attempts originating from Simcenter Femap.
## References
- **Siemens Security Advisory SSA-870926:** hxxps://cert-portal.siemens.com/productcert/html/ssa-870926.html
- **Siemens Industrial Security Guidelines:** hxxps://www.siemens.com/cert/operational-guidelines-industrial-security
- **Siemens ProductCERT:** hxxps://www.siemens.com/cert/advisories