CVE-2025-25175 Siemens CVE debrief

Who should care

Organizations using Siemens Simcenter Femap V2401 or V2406, especially engineers, analysts, and support teams that regularly exchange or open .NEU files from external or unverified sources. Security teams supporting OT/industrial engineering software should also treat this as a file-handling code-execution risk.

Technical summary

The advisory states that Simcenter Femap contains a memory corruption vulnerability while parsing specially crafted .NEU files. The issue is associated with ZDI-CAN-25443 and is rated CVSS 3.1 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating local impact with user interaction required. A successful exploit could lead to code execution in the current process context. Affected products listed in the advisory are Simcenter Femap V2401 and V2406, with fixes available in V2401.0003 or later and V2406.0002 or later.

Defensive priority

High. The vulnerability is user-triggered and file-based, but the potential impact is full code execution in the application process. Prioritize patching exposed engineering workstations and restricting handling of untrusted .NEU files until updates are deployed.

Recommended defensive actions

• Update Simcenter Femap V2401 to V2401.0003 or later.
• Update Simcenter Femap V2406 to V2406.0002 or later.
• Do not open untrusted .NEU files in affected versions.
• Review workflows that import externally supplied engineering files and add validation or isolation where possible.
• Use Siemens and CISA guidance for industrial control systems defense-in-depth and recommended practices.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-079-03 for Siemens Simcenter Femap, published 2025-03-13 and revised 2025-05-06 for typo fixes. The source advisory explicitly describes a memory corruption flaw while parsing specially crafted .NEU files and lists affected versions V2401 and V2406 along with the corresponding fixed releases. No KEV listing was provided in the supplied corpus.

Official resources