PatchSiren cyber security CVE debrief
CVE-2024-33491 Siemens CVE debrief
CVE-2024-33491 is a high-severity out-of-bounds read vulnerability in Siemens Solid Edge, published on May 14, 2024. The flaw occurs when parsing specially crafted PAR (part) files, allowing an attacker to execute arbitrary code in the context of the current process. The vulnerability stems from reading past the end of an allocated structure during PAR file parsing. With a CVSS 3.1 score of 7.8 (HIGH), this represents a significant risk to engineering workstations where Solid Edge is deployed. The attack vector is local, requiring user interaction to open a malicious file, but successful exploitation grants high impact across confidentiality, integrity, and availability. Siemens has released a vendor fix in V224.0 Update 5 or later versions. CISA and Siemens both recommend updating immediately and avoiding untrusted PAR files as an interim mitigation.
- Vendor
- Siemens
- Product
- Solid Edge
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-14
- Original CVE updated
- 2024-05-14
- Advisory published
- 2024-05-14
- Advisory updated
- 2024-05-14
Who should care
Organizations using Siemens Solid Edge for CAD/CAM/CAE operations, particularly in manufacturing, aerospace, automotive, and industrial design sectors. Security teams responsible for engineering workstation protection and supply chain security for design files.
Technical summary
Out-of-bounds read vulnerability in Siemens Solid Edge when parsing PAR files. Local attack vector requires user interaction. Fixed in V224.0 Update 5.
Defensive priority
HIGH
Recommended defensive actions
- Update Siemens Solid Edge to V224.0 Update 5 or later version immediately
- Implement application whitelisting to prevent execution of untrusted Solid Edge instances
- Train users to avoid opening PAR files from untrusted sources
- Consider network segmentation for engineering workstations running Solid Edge
- Monitor for suspicious PAR file attachments in email and file sharing systems
Evidence notes
Vulnerability description and remediation guidance sourced from CISA CSAF advisory ICSA-24-137-09 and Siemens security advisory SSA-589937. CVSS vector confirms local attack vector with user interaction required. Vendor fix version explicitly stated as V224.0 Update 5 or later.
Official resources
-
CVE-2024-33491 CVE record
CVE.org
-
CVE-2024-33491 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-14