CVE-2025-40740 Siemens CVE debrief

Who should care

Organizations and users running Siemens Solid Edge SE2025, especially engineering, manufacturing, and design teams that routinely open PAR files from external or untrusted sources. Security teams responsible for CAD application hardening and patch management should prioritize verification and remediation.

Technical summary

The advisory describes an out-of-bounds read condition in Solid Edge SE2025 while parsing specially crafted PAR files. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates local access and user interaction are required, but successful exploitation could result in code execution within the current process. The affected product scope in the supplied source is Siemens Solid Edge SE2025.

Defensive priority

High

Recommended defensive actions

• Update Siemens Solid Edge SE2025 to V225.0 Update 5 or later.
• Do not open untrusted PAR files in the affected application.
• Limit exposure to externally sourced CAD content and validate file provenance before opening.
• Review workstation and engineering-team patching to confirm the fixed version is deployed.
• Monitor Siemens and CISA advisories for any follow-up guidance or revisions.

Evidence notes

This debrief is based only on the supplied CISA CSAF advisory for ICSA-25-191-02 and the linked Siemens security advisory references. The source explicitly states: affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted PAR files; this could allow code execution in the context of the current process; remediation is to update to V225.0 Update 5 or later and avoid untrusted PAR files. Timing reflects the CVE published and modified dates supplied for 2025-07-08.

Official resources