PatchSiren cyber security CVE debrief
CVE-2026-23717 Siemens CVE debrief
CVE-2026-23717 is a high-severity vulnerability in Siemens Simcenter Femap and Simcenter Nastran that can trigger an out-of-bounds read while parsing specially crafted XDB files. The published advisory states this could allow code execution in the context of the current process. The issue was publicly disclosed on 2026-02-10, with a CISA republication of the Siemens ProductCERT advisory on 2026-02-17. No Known Exploited Vulnerabilities (KEV) entry was supplied for this CVE.
- Vendor
- Siemens
- Product
- Simcenter Femap
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-10
- Original CVE updated
- 2026-02-17
- Advisory published
- 2026-02-10
- Advisory updated
- 2026-02-17
Who should care
Organizations using Siemens Simcenter Femap or Simcenter Nastran, especially engineering, simulation, and design teams that open XDB files from external or untrusted sources. Security teams responsible for engineering workstations should prioritize this advisory because successful exploitation may execute code in the current process.
Technical summary
The advisory describes an out-of-bounds read during parsing of specially crafted XDB files. The supplied CVSS vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates local attack conditions with required user interaction, and the impact rating reflects potential high confidentiality, integrity, and availability consequences. Siemens lists V2512 or later as the fixed version for both affected products, and also advises not opening untrusted XDB files in affected applications.
Defensive priority
High. This is a publicly disclosed code-execution-capable parsing flaw in engineering software, with user interaction required but strong impact if triggered. It is not marked as KEV in the supplied corpus, but it should still be prioritized for patching and exposure reduction on systems that handle external XDB files.
Recommended defensive actions
- Update Siemens Simcenter Femap to V2512 or later.
- Update Siemens Simcenter Nastran to V2512 or later.
- Do not open untrusted or unsolicited XDB files in affected applications.
- Restrict and review workflows that import XDB files from outside trusted engineering pipelines.
- Prioritize patching on endpoints used by design, simulation, and file-conversion personnel.
- Validate the vendor remediation guidance through the Siemens ProductCERT advisory and CISA advisory before rollout.
Evidence notes
This debrief is based only on the supplied CISA CSAF advisory metadata and the referenced Siemens ProductCERT advisory entries. The published date is 2026-02-10 and the modified/republication date is 2026-02-17, matching the supplied timeline. The corpus identifies Siemens as the vendor and Simcenter Femap plus Simcenter Nastran as the affected products. No exploitation campaign, KEV status, or additional impact details were assumed beyond the source text.
Official resources
-
CVE-2026-23717 CVE record
CVE.org
-
CVE-2026-23717 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2026-02-10 by CISA/Siemens advisory publication, with a CISA republication of the Siemens ProductCERT advisory on 2026-02-17.