CVE-2025-40936 Siemens CVE debrief

Who should care

Siemens Solid Edge administrators, engineering teams, and end users who open or process IGS files, especially files received from external or untrusted sources.

Technical summary

The advisory states that Solid Edge contains an out-of-bounds read during IGS parsing. Because the vulnerable code path is reached by specially crafted IGS input, an attacker can trigger an application crash and may be able to execute code in the context of the current process. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access and user interaction are part of the attack conditions.

Defensive priority

High. Prioritize patching systems that routinely open third-party or externally sourced IGS files, and treat exposed engineering workstations as urgent candidates for remediation.

Recommended defensive actions

• Update Siemens Solid Edge to V226.00 Update 03 or later, as listed in the vendor remediation.
• Reduce exposure to untrusted IGS content by validating file provenance before opening or importing files.
• Apply least privilege to user accounts and limit which systems can handle external CAD interchange files.
• Use defense-in-depth controls for engineering workstations and file workflows, consistent with CISA recommended practices.
• Investigate unexpected crashes or instability during IGS parsing as potential indicators of malicious or malformed input.

Evidence notes

Core facts come from CISA CSAF advisory ICSA-26-043-05 and the referenced Siemens ProductCERT advisory SSA-445819. The advisory explicitly names Siemens Solid Edge, the IGS parsing out-of-bounds read, the potential impact of crash or code execution in the current process, and the remediation version V226.00 Update 03 or later. The published and modified dates were taken from the supplied timeline fields.

Official resources