CVE-2026-23715 Siemens CVE debrief

Who should care

Administrators, engineers, and security teams supporting Siemens Simcenter Femap or Simcenter Nastran deployments, especially systems that import or exchange XDB files. Any team allowing external or untrusted engineering files onto these workstations should prioritize review.

Technical summary

The CISA-captured Siemens advisory describes an out-of-bounds write while the affected applications parse specially crafted XDB files. The supplied CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which indicates local attack conditions with user interaction and the potential for significant confidentiality, integrity, and availability impact if exploitation succeeds. The stated impact is code execution in the context of the current process.

Defensive priority

High. The issue is publicly disclosed, rated CVSS 7.8, and involves a memory corruption condition that can lead to code execution. Patch affected installations promptly, especially if untrusted or externally sourced XDB files may be opened.

Recommended defensive actions

• Update Siemens Simcenter Femap to V2512 or later.
• Update Siemens Simcenter Nastran to V2512 or later.
• Do not open untrusted XDB files in affected applications.
• Inventory where Femap and Nastran are installed and confirm whether affected versions are present.
• Follow CISA ICS recommended practices and defense-in-depth guidance for industrial software environments.

Evidence notes

The supplied timeline shows the CVE and source advisory were first published on 2026-02-10 and modified/republished on 2026-02-17, which should be used as the issue timing context. The source corpus states that Siemens Simcenter Femap and Simcenter Nastran are affected, that the flaw is an out-of-bounds write during XDB parsing, and that exploitation could allow code execution in the current process. The remediations in the source recommend updating to V2512 or later and avoiding untrusted XDB files.

Official resources