PatchSiren cyber security CVE debrief
CVE-2024-32065 Siemens CVE debrief
CVE-2024-32065 is a high-severity out-of-bounds read vulnerability in Siemens Simcenter Femap, published on July 9, 2024. The flaw occurs when parsing specially crafted IGS (Initial Graphics Exchange Specification) files, allowing an attacker to execute arbitrary code in the context of the current process. The vulnerability was reported through the Zero Day Initiative (ZDI-CAN-21577) and affects Simcenter Femap versions prior to V2406. The CVSS 3.1 score of 7.8 reflects high impacts to confidentiality, integrity, and availability, with a local attack vector requiring user interaction. Siemens has released a vendor fix in V2406 or later versions.
- Vendor
- Siemens
- Product
- Simcenter Femap
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-14
- Original CVE updated
- 2024-05-14
- Advisory published
- 2024-05-14
- Advisory updated
- 2024-05-14
Who should care
Engineering teams using Simcenter Femap for finite element analysis and CAD preprocessing, particularly in aerospace, automotive, and manufacturing sectors where IGS file exchange is common. Security teams responsible for OT/ICS environments and software asset management should prioritize patching.
Technical summary
The vulnerability stems from an out-of-bounds read past the end of an allocated structure during IGS file parsing in Simcenter Femap. This memory safety defect can be triggered by a malformed IGS file and may lead to arbitrary code execution within the process context. The attack requires local access and user interaction (opening a malicious file), with no privileges required. The fix in V2406 addresses the parsing logic to prevent the out-of-bounds access.
Defensive priority
HIGH
Recommended defensive actions
- Update Simcenter Femap to V2406 or later version
- Avoid opening untrusted IGS files in affected applications
- Avoid opening untrusted IGS, BDF, or BMP files using Simcenter Femap
- Apply defense-in-depth practices for industrial control systems per CISA guidance
Evidence notes
Vulnerability disclosed via CISA ICS advisory ICSA-24-193-04 and Siemens security advisory SSA-064222. Confirmed by CSAF product tree with high confidence. No known exploitation in the wild; not listed in CISA KEV catalog.
Official resources
-
CVE-2024-32065 CVE record
CVE.org
-
CVE-2024-32065 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-09