CVE-2024-47046 Siemens CVE debrief

Who should care

Engineering organizations using Simcenter Femap for finite element analysis, particularly in aerospace, automotive, and industrial manufacturing sectors. Security teams protecting OT/ICS environments with engineering workstations. Organizations with Nastran-based simulation workflows dependent on BDF file exchange.

Technical summary

The vulnerability stems from improper memory handling during parsing of BDF (Bulk Data File) format files in Simcenter Femap, a finite element analysis pre- and post-processor. BDF files are commonly used in Nastran-based engineering workflows for structural analysis. The memory corruption condition can be triggered when a user opens a maliciously crafted BDF file, leading to arbitrary code execution in the context of the running process. The CVSS 3.1 score of 7.8 (HIGH) reflects significant confidentiality, integrity, and availability impacts, though exploitation requires local access and user interaction. The attack complexity is low, and no privileges are required, making social engineering or supply chain compromise viable attack vectors.

Defensive priority

HIGH

Recommended defensive actions

• Apply Siemens Femap 2406 Nastran Updates to V2406 installations as soon as possible
• For V2306 and V2401 deployments, implement strict controls to prevent opening of untrusted BDF files
• Restrict user permissions to limit impact of potential exploitation
• Monitor for suspicious BDF file handling in engineering workflows
• Establish asset inventory to identify affected Simcenter Femap installations across versions

Evidence notes

CVE published and modified 2024-12-10 per official record. CISA ICS advisory ICSA-24-347-06 issued same date. Siemens SSA-881356 published concurrently. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H confirms local attack vector requiring user interaction.

Official resources