Siemens Simcenter Femap contains a memory corruption vulnerability while parsing specially crafted IPT files, which could allow an attacker to execute code in the context of the current process. This is a heap-based buffer overflow (CWE-122) that can overwrite arbitrary memory, potentially compromising the confidentiality and integrity of the affected system by giving attackers code execution with the application user’s privileges.

Any installation of Siemens Simcenter Femap that processes IPT files and is earlier than the V2512.0003 release is vulnerable. The CNA notes that the affected applications include all versions that do not incorporate the recommended patch, though specific version ranges are not listed. Users should verify whether their deployment is on a pre‑2512.0003 build and consider applying the fix accordingly.

The CVSS score of 7.3 indicates high severity, and the EPSS score is below 1%, indicating a very low exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is inferred from the description: an attacker would need to supply a maliciously crafted IPT file to the application, either locally or through collaborative features that import IPT files. Because the flaw results in code execution within the current process, successful exploitation would grant attacker-level access to the system where Femap is running. The exploitability hinges on the attacker’s ability to deliver the malicious file to the application’s input stream.