PatchSiren cyber security CVE debrief
CVE-2026-23718 Siemens CVE debrief
CVE-2026-23718 is a high-severity vulnerability in Siemens Simcenter Femap and Simcenter Nastran. A specially crafted NDB file can trigger an out-of-bounds read during parsing, which may allow code execution in the context of the current process. The advisory is publicly available and was republished by CISA with Siemens ProductCERT source data.
- Vendor
- Siemens
- Product
- Simcenter Femap
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-10
- Original CVE updated
- 2026-02-17
- Advisory published
- 2026-02-10
- Advisory updated
- 2026-02-17
Who should care
Organizations using Siemens Simcenter Femap or Simcenter Nastran, especially engineers and administrators who routinely open external or untrusted model files. ICS/OT teams and endpoint defenders should care because the issue is user-triggered and may lead to code execution in the application process.
Technical summary
The vendor advisory describes an out-of-bounds read while parsing specially crafted NDB files. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a local, user-interaction-dependent attack path with high potential impact. The source remediation guidance recommends updating affected products to V2512 or later. The advisory text also includes a mitigation to avoid opening untrusted XDB files; because the vulnerability description refers to NDB files, that file-extension wording should be treated carefully and read alongside the vendor advisory.
Defensive priority
High. The issue is not listed as a CISA KEV vulnerability in the supplied data, but it has a 7.8 CVSS score and can result in code execution if a user opens a malicious file in an affected application.
Recommended defensive actions
- Update Siemens Simcenter Femap to V2512 or later.
- Update Siemens Simcenter Nastran to V2512 or later.
- Do not open untrusted model files in affected applications.
- Review workflows that import files from external partners, contractors, or download sources.
- Apply defense-in-depth controls for engineering workstations, including least privilege and application/network isolation where appropriate.
- Monitor for unexpected crashes or anomalous behavior when parsing NDB/XDB files in affected environments.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-048-01, which cites Siemens ProductCERT SSA-965753. The source lists Siemens as vendor and Simcenter Femap plus Simcenter Nastran as affected products. The published date is 2026-02-10 and the source was republished on 2026-02-17. The advisory states that parsing specially crafted NDB files can cause an out-of-bounds read and potential code execution in the current process. The remediation section recommends V2512 or later and includes a file-handling mitigation. No KEV date or ransomware campaign use is present in the supplied data.
Official resources
-
CVE-2026-23718 CVE record
CVE.org
-
CVE-2026-23718 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA advisory ICSA-26-048-01 on 2026-02-10 and republished on 2026-02-17 with Siemens ProductCERT SSA-965753 data. The supplied data does not indicate KEV inclusion.