Description
A vulnerability has been identified in Simcenter Femap (All versions < V2512), Simcenter Nastran (All versions < V2512). The affected applications contains an out of bounds read vulnerability while parsing specially crafted NDB files. This could allow an attacker to execute code in the context of the current process.
Published: 2026-02-10
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

The vulnerability is an out‑of‑bounds read that occurs when the application parses specially crafted NDB files. Because the read can be abused to execute code in the context of the running process, an attacker that supplies a malicious NDB file could gain arbitrary code execution privilege on the affected system.

Affected Systems

Siemens Simcenter Femap (all versions prior to V2512) and Siemens Simcenter Nastran (all versions prior to V2512) are affected. The same vulnerability applies to every version below V2512 in both products.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity, but the EPSS score is listed as less than 1%, implying that the likelihood of a widespread exploit is low at present. The vulnerability is not in the CISA KEV catalog. The attack path requires delivery of a crafted NDB file, which then triggers the vulnerable parsing routine. The required conditions do not demand elevated privileges, so a local user who runs the application could be exploited, and if the application processes files from a network share, a remote attacker could deliver the file indirectly. Because the flaw can lead to code execution, the impact is severe, yet the current exploitation probability appears to be low.

Generated by OpenCVE AI on April 17, 2026 at 20:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Siemens Simcenter Femap or Simcenter Nastran to version V2512 or later.
  • If an upgrade is not immediately available, limit the application to processing NDB files that come from trusted sources and block or quarantine unknown files before importing them.
  • Apply strict file‑level access controls so that only authorised users can create or modify NDB files that the application will read.
  • If a custom pre‑processing tool is used, include bounds checking on NDB file structures to prevent out‑of‑bounds reads.

Generated by OpenCVE AI on April 17, 2026 at 20:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Title Out of Bounds Read in Simcenter Femap and Nastran Enabling Code Execution

Wed, 11 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:siemens:simcenter_femap:*:*:*:*:*:*:*:*
cpe:2.3:a:siemens:simcenter_nastran:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Siemens
Siemens simcenter Femap
Siemens simcenter Nastran
Vendors & Products Siemens
Siemens simcenter Femap
Siemens simcenter Nastran

Tue, 10 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in Simcenter Femap (All versions < V2512), Simcenter Nastran (All versions < V2512). The affected applications contains an out of bounds read vulnerability while parsing specially crafted NDB files. This could allow an attacker to execute code in the context of the current process.
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Siemens Simcenter Femap Simcenter Nastran
cve-icon MITRE

Status: PUBLISHED

Assigner: siemens

Published:

Updated: 2026-02-10T15:11:43.915Z

Reserved: 2026-01-15T14:48:10.775Z

Link: CVE-2026-23718

cve-icon Vulnrichment

Updated: 2026-02-10T15:10:13.630Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T10:15:58.740

Modified: 2026-02-11T18:24:00.490

Link: CVE-2026-23718

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses