PatchSiren cyber security CVE debrief
CVE-2024-32060 Siemens CVE debrief
A high-severity out-of-bounds read vulnerability in Siemens Simcenter Femap allows code execution when parsing malicious IGS files. The flaw, reported via the Zero Day Initiative (ZDI-CAN-21565), stems from reading past the end of an allocated structure during IGS file parsing. With a CVSS 3.1 score of 7.8, this vulnerability requires local access and user interaction but grants high impact across confidentiality, integrity, and availability. CISA published advisory ICSA-24-193-04 on July 9, 2024, coordinating disclosure with Siemens. The vendor has released version V2406 as a definitive fix.
- Vendor
- Siemens
- Product
- Simcenter Femap
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-14
- Original CVE updated
- 2024-05-14
- Advisory published
- 2024-05-14
- Advisory updated
- 2024-05-14
Who should care
Engineering organizations using Siemens Simcenter Femap for finite element analysis and CAD preprocessing; security teams in manufacturing, aerospace, automotive, and energy sectors; ICS/OT security practitioners managing engineering workstations; asset owners with Simcenter Femap deployments in design and simulation workflows.
Technical summary
CVE-2024-32060 is an out-of-bounds read vulnerability in Siemens Simcenter Femap that occurs when parsing specially crafted IGS (Initial Graphics Exchange Specification) files. The vulnerability allows an attacker to read memory beyond allocated structure boundaries, potentially leading to code execution in the context of the current process. The flaw was reported through the Zero Day Initiative (ZDI-CAN-21565) and affects versions prior to V2406. The attack vector requires local access and user interaction—specifically, opening a malicious IGS file. Successful exploitation grants high impact on confidentiality, integrity, and availability. Siemens has released version V2406 as the definitive remediation. CISA's advisory ICSA-24-193-04 provides coordinated disclosure and mitigation guidance for industrial control systems environments.
Defensive priority
HIGH
Recommended defensive actions
- Update Simcenter Femap to version V2406 or later to remediate this vulnerability
- Apply vendor security updates from Siemens ProductCERT SSA-064222
- Restrict opening of untrusted IGS files in Simcenter Femap as a temporary mitigation
- Implement defense-in-depth controls for industrial control systems environments per CISA guidance
- Monitor for anomalous IGS file handling in engineering workstations running Simcenter Femap
Evidence notes
The vulnerability was reported through the Zero Day Initiative (ZDI-CAN-21565). CISA's CSAF-based advisory confirms the out-of-bounds read occurs during parsing of specially crafted IGS files in Simcenter Femap. Siemens ProductCERT SSA-064222 provides the authoritative vendor fix in version V2406.
Official resources
-
CVE-2024-32060 CVE record
CVE.org
-
CVE-2024-32060 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Coordinated disclosure via CISA ICS advisory ICSA-24-193-04 and Siemens ProductCERT SSA-064222, published July 9, 2024.