PatchSiren cyber security CVE debrief
CVE-2024-33490 Siemens CVE debrief
CVE-2024-33490 is a high-severity out-of-bounds read vulnerability in Siemens Solid Edge, published on 2024-05-14. The flaw occurs when parsing specially crafted PAR (part) files, allowing an attacker to execute arbitrary code in the context of the current process. The vulnerability stems from reading past the end of an allocated structure during PAR file parsing. With a CVSS 3.1 score of 7.8 (HIGH), this local attack vector requires user interaction but needs no privileges, enabling high-impact confidentiality, integrity, and availability breaches. Siemens has released a vendor fix in V224.0 Update 5 or later. CISA and Siemens jointly advise updating immediately and avoiding untrusted PAR files as a mitigation.
- Vendor
- Siemens
- Product
- Solid Edge
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-14
- Original CVE updated
- 2024-05-14
- Advisory published
- 2024-05-14
- Advisory updated
- 2024-05-14
Who should care
Organizations using Siemens Solid Edge for CAD/CAM operations, particularly in manufacturing, aerospace, automotive, and industrial design sectors. Security teams in OT/ICS environments where Solid Edge is deployed. Engineers and designers who regularly exchange PAR files with external partners or download models from public repositories.
Technical summary
The vulnerability exists in the PAR file parser of Siemens Solid Edge. When processing a malformed PAR file, the application reads beyond the bounds of an allocated memory structure. This out-of-bounds read can be exploited to achieve arbitrary code execution within the context of the Solid Edge process. The attack requires local access and user interaction (opening a malicious file), but no special privileges. The CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H reflects this local attack surface with high impact potential.
Defensive priority
HIGH
Recommended defensive actions
- Update Siemens Solid Edge to V224.0 Update 5 or later version
- Do not open untrusted PAR files in Solid Edge
- Apply defense-in-depth practices for industrial control systems per CISA guidance
- Monitor for suspicious PAR file attachments in email and file sharing
- Review and restrict file import permissions for Solid Edge users
Evidence notes
Vulnerability disclosed via CISA ICS Advisory ICSA-24-137-09 and Siemens Security Advisory SSA-589937. Affected product confirmed as Siemens Solid Edge. Vendor fix available in V224.0 Update 5 or later.
Official resources
-
CVE-2024-33490 CVE record
CVE.org
-
CVE-2024-33490 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-14