CVE-2026-23719 Siemens CVE debrief

Who should care

Administrators, engineers, and users of Siemens Simcenter Femap or Simcenter Nastran—especially environments where NDB files may come from outside the organization or from untrusted sources.

Technical summary

According to the CISA CSAF advisory and Siemens product security advisory, the flaw is a heap-based buffer overflow triggered during NDB file parsing. The CVSS v3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access with user interaction required. The stated impact is code execution in the context of the current process.

Defensive priority

High. The issue is rated CVSS 7.8 and has a plausible path to code execution if a user opens a malicious NDB file, so patching should be prioritized for affected systems that handle external or untrusted files.

Recommended defensive actions

• Update Siemens Simcenter Femap to V2512 or later.
• Update Siemens Simcenter Nastran to V2512 or later.
• Do not open untrusted or suspicious NDB files in affected applications.
• Review file-handling workflows to limit exposure to externally supplied engineering files.
• Follow Siemens ProductCERT and CISA advisory guidance for any additional product-specific mitigations.

Evidence notes

The source corpus identifies Siemens as the vendor and Simcenter Femap plus Simcenter Nastran as the affected products. CISA published the advisory on 2026-02-10 and republished it on 2026-02-17 after initial republication of Siemens ProductCERT advisory SSA-965753. The remediation guidance in the source explicitly recommends updating both products to V2512 or later and avoiding untrusted NDB files.

Official resources