CVE-2024-33577 Siemens CVE debrief

Who should care

Organizations using Siemens Simcenter Femap for engineering simulation and analysis, particularly in industrial and manufacturing environments where the software processes external CAD/CAE data files.

Technical summary

CVE-2024-33577 is a stack overflow vulnerability in Siemens Simcenter Femap engineering analysis software. The flaw occurs when parsing specially crafted strings supplied as arguments to an application binary. The vulnerability is exploitable locally (AV:L) and requires user interaction (UI:R) to trigger, such as opening a malicious file. Successful exploitation yields high-impact code execution (C:H/I:H/A:H) in the context of the current process. Siemens has released V2406 as a remediated version. CISA recommends additional mitigations including avoiding untrusted BDF, IGS, and BMP files.

Defensive priority

HIGH

Recommended defensive actions

• Update Simcenter Femap to V2406 or later version
• Avoid opening untrusted BDF files in affected applications
• Avoid opening untrusted IGS, BDF, or BMP files using Simcenter Femap
• Apply defense-in-depth practices for industrial control systems per CISA guidance

Evidence notes

The vulnerability description and remediation guidance are derived from CISA CSAF advisory ICSA-24-193-04, which references Siemens security advisory SSA-064222. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a local attack vector requiring user interaction, with high impacts to confidentiality, integrity, and availability.

Official resources