CVE-2024-32062 Siemens CVE debrief

Who should care

Organizations using Siemens Simcenter Femap for engineering analysis and simulation, particularly those in industrial manufacturing, aerospace, automotive, and other sectors relying on CAD/CAE workflows. Security teams responsible for engineering workstation protection and supply chain security for design file exchanges should prioritize this vulnerability.

Technical summary

A type confusion vulnerability exists in Siemens Simcenter Femap when parsing IGS (Initial Graphics Exchange Specification) files. The vulnerability, tracked as ZDI-CAN-21568, allows an attacker to achieve arbitrary code execution in the context of the current process by providing a maliciously crafted IGS file. The CVSS 3.1 base score is 7.8 (HIGH), indicating significant impact to confidentiality, integrity, and availability with low attack complexity. The attack vector is local, requiring user interaction to open a malicious file. Siemens has addressed this vulnerability in V2406 and later versions.

Defensive priority

high

Recommended defensive actions

• Apply vendor fix: Update Simcenter Femap to V2406 or later version
• Avoid opening untrusted IGS files in affected applications
• Avoid opening untrusted IGS, BDF, or BMP files using Simcenter Femap
• Follow CISA ICS recommended practices for defense-in-depth security controls

Evidence notes

CVE published 2024-07-09 per official record. Type confusion vulnerability in IGS file parsing confirmed by CISA CSAF advisory ICSA-24-193-04 and Siemens security advisory SSA-064222. CVSS 3.1 score 7.8 (HIGH) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Vendor fix available in V2406 or later.

Official resources