CVE-2026-23716 Siemens CVE debrief

Who should care

Organizations using Siemens Simcenter Femap or Simcenter Nastran, especially engineering teams, workstations that open customer- or partner-supplied model files, and security teams responsible for desktop application patching and file-handling controls.

Technical summary

The advisory describes an out-of-bounds read condition in XDB file parsing. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates local execution context with required user interaction, consistent with a user opening a crafted file. Siemens lists updating to V2512 or later as the fix for both affected products and also recommends not opening untrusted XDB files.

Defensive priority

High. The vulnerability is rated 7.8 HIGH and involves user interaction with potentially attacker-crafted files, but the primary impact is limited to the current process context. Patch and file-handling controls should be prioritized for any system where these products are used to open external files.

Recommended defensive actions

• Update Siemens Simcenter Femap to V2512 or later.
• Update Siemens Simcenter Nastran to V2512 or later.
• Do not open untrusted or unsolicited XDB files in affected applications.
• Restrict file intake workflows so externally sourced engineering files are reviewed before use.
• Apply standard endpoint hardening and least-privilege practices on systems running the affected software.

Evidence notes

All material in this debrief is drawn from the supplied CISA CSAF source item for ICSA-26-048-01 and its referenced Siemens ProductCERT advisory SSA-965753. The source describes an out-of-bounds read while parsing specially crafted XDB files, the potential for code execution in the current process, and remediation to update to V2512 or later. The timeline fields supplied show publication on 2026-02-10 and CISA republication on 2026-02-17; those dates are used here as advisory timing context only.

Official resources