PatchSiren cyber security CVE debrief
CVE-2025-40739 Siemens CVE debrief
CVE-2025-40739 is a high-severity vulnerability in Siemens Solid Edge SE2025 disclosed on 2025-07-08. The issue is an out-of-bounds read past the end of an allocated structure while parsing specially crafted PAR files. According to the advisory, successful exploitation could allow code execution in the context of the current process. Siemens recommends updating to V225.0 Update 5 or later and avoiding untrusted PAR files.
- Vendor
- Siemens
- Product
- Solid Edge SE2025
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-07-08
- Original CVE updated
- 2025-07-08
- Advisory published
- 2025-07-08
- Advisory updated
- 2025-07-08
Who should care
Organizations using Siemens Solid Edge SE2025, especially engineering, design, and manufacturing teams that open PAR files from external or untrusted sources. Security and endpoint teams responsible for patching user-facing desktop applications should prioritize this advisory because exploitation requires user interaction.
Technical summary
The advisory describes a parsing flaw in Solid Edge SE2025 affecting PAR file handling. A crafted PAR file can trigger an out-of-bounds read beyond an allocated structure. The supplied CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates local execution conditions with user interaction required, and the vendor states the impact could be code execution in the current process. The remediation guidance is to update to V225.0 Update 5 or later and not open untrusted PAR files.
Defensive priority
High. This is a publicly disclosed, user-interaction-dependent vulnerability in a commonly used engineering application, with potential code execution impact. Patch promptly if Solid Edge SE2025 is deployed, and apply temporary handling controls until the vendor fix is installed.
Recommended defensive actions
- Update Siemens Solid Edge SE2025 to V225.0 Update 5 or later using the vendor-provided fix.
- Do not open untrusted or unsolicited PAR files in the affected application.
- Restrict PAR file handling to trusted sources and review external-file intake workflows.
- Prioritize endpoint patching and verify which systems have Solid Edge SE2025 installed.
- Use standard industrial-control and defense-in-depth practices for engineering workstations handling externally supplied files.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-25-191-02 and the Siemens security advisory references supplied in the source corpus. The corpus states: the affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted PAR files; exploitation could allow code execution in the context of the current process; mitigation includes not opening untrusted PAR files; and the vendor fix is V225.0 Update 5 or later. No KEV listing was supplied in the corpus.
Official resources
-
CVE-2025-40739 CVE record
CVE.org
-
CVE-2025-40739 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-07-08 via CISA advisory ICSA-25-191-02 and Siemens advisory references in the supplied corpus. No Known Exploited Vulnerabilities (KEV) entry was supplied.