CVE-2024-32057 Siemens CVE debrief

Who should care

Organizations using Siemens Simcenter Femap for engineering simulation and analysis, particularly those processing IGS files from external sources or untrusted origins. Security teams in manufacturing, aerospace, automotive, and other industrial sectors relying on CAD/CAE workflows should prioritize patching.

Technical summary

CVE-2024-32057 is a type confusion vulnerability in Siemens Simcenter Femap that occurs during parsing of IGS (Initial Graphics Exchange Specification) files. The vulnerability allows an attacker to execute arbitrary code within the context of the current process. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a local attack vector with low attack complexity, no privileges required, but user interaction required, resulting in high impact to confidentiality, integrity, and availability. The vulnerability was reported through the Zero Day Initiative (ZDI-CAN-21562). Siemens has addressed this issue in version V2406 and later.

Defensive priority

HIGH

Recommended defensive actions

• Apply vendor fix: Update Simcenter Femap to V2406 or later version
• Avoid opening untrusted IGS files in affected applications
• Avoid opening untrusted IGS, BDF, or BMP files using Simcenter Femap
• Follow CISA ICS recommended practices for defense-in-depth strategies

Evidence notes

CVE description and CISA CSAF advisory ICSA-24-193-04 confirm type confusion in IGS file parsing with code execution impact. Siemens SSA-064222 provides vendor remediation guidance. CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates local attack vector requiring user interaction.

Official resources