Siemens Simcenter Femap: Malicious IPT Files Trigger RCE via Heap Overflow

On May 14, 2026, CISA republished Siemens ProductCERT advisory SSA-870926, confirming a heap-based buffer overflow vulnerability in Simcenter Femap. The flaw is triggered by opening a malicious IPT format file, allowing for remote code execution (RCE) within the context of the current Windows process. Reported by the Trend Micro Zero Day Initiative, the vulnerability resides in the third-party Datakit library and primarily threatens the Critical Manufacturing sector. In these environments, the routine exchange of CAD drawings by engineers and designers exposes high-value workstations to compromise. The attack requires minimal human interaction—simply opening a file—making it a potent threat to intellectual property and operational continuity, as IPT files often bypass standard firewall and antivirus inspections.

Datakit Library Vulnerability: IPT Parsing as an Attack Vector

The vulnerability exists within the Datakit library, a third-party component integrated into Simcenter Femap for interoperability with various CAD formats. According to CISA advisory ICSA-26-134-05—a republication of Siemens ProductCERT SSA-870926—the flaw manifests as a heap-based buffer overflow when the software parses IPT files, the native format for Autodesk Inventor.

Memory corruption occurs due to insufficient field length validation during parsing. The Datakit component fails to properly verify the size of specific data sections, allowing an attacker to overwrite heap metadata and hijack the execution flow of the Femap Windows process. As noted by specialized sources, “When Femap processes a malformed IPT file, the Datakit library does not properly check the length of certain data sections.”

Technically, the attack does not require a network-based exploit; an engineer only needs to open the malicious CAD file. This shifts the threat from the network perimeter directly to the workstation, making it particularly insidious in environments where drawings are frequently received from external suppliers or shared repositories and opened under tight project deadlines.

Process-Level RCE: Implications for Engineering Environments

The advisory is explicit: if a user is tricked into opening a malicious file, an attacker can leverage the vulnerability to execute arbitrary code in the context of the current process. This means the payload inherits the permissions and visibility of Simcenter Femap itself, granting access to FEM models, materials, meshes, and—via network file access libraries—potentially to corporate shares and PLM databases.

“Simcenter Femap is affected by heap based buffer overflow vulnerability in Datakit library that could be triggered when the application reads files in IPT format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process.” — CISA / Siemens ProductCERT

With a CVSS v3 score of 7.8, the vulnerability is classified as "High" not due to exploit complexity, but because of its significant impact on the confidentiality, integrity, and availability of design systems. The threat is exacerbated by the fact that engineering workstations often possess elevated privileges or direct access to production resources.

The CAD File: A Digital Supply Chain Blind Spot

Beyond the technical mechanics, this flaw highlights the role of CAD files in the modern supply chain. Formats like IPT, STEP, or Parasolid are rarely treated by endpoint antivirus solutions with the same scrutiny as executables or scripts; they are often viewed as inert data. Consequently, an IPT attachment seemingly sent by a supplier or downloaded from a collaboration portal can traverse gateways, firewalls, and sandboxes without triggering alarms.

Engineers typically handle hundreds of files daily, often via email or cloud sharing, integrating them quickly into complex assemblies. This workflow creates an ideal attack surface for targeted spear-phishing. A credible subject line and a well-crafted file are all that is needed to compromise a workstation, leading to risks of intellectual property theft, project sabotage, or lateral movement toward ERP and MES systems.

Remediation and Patch Details

Siemens has responded by releasing a new version of Simcenter Femap. The primary advisory states: “Siemens has released a new version for Simcenter Femap and recommends to update to the latest version.”

While the verbatim vendor text does not always list the CVE identifier in all summary materials, editorial sources have linked the vulnerability to CVE-2025-12659 and identified the corrective version as V2512.0003. In the absence of secondary independent primary sources for every quantitative detail, the vendor’s general directive remains the definitive countermeasure: updating to the latest available version is essential.

Currently, there are no known official workarounds or temporary mitigations for users who cannot immediately apply the update.

Security Recommendations

• Verify and apply the latest update released by Siemens for Simcenter Femap. Industry reports indicate build V2512.0003 addresses the IPT vulnerability, but users should follow official vendor channels to ensure they are using the most current version for their specific environment.
• Inspect incoming IPT files from suppliers, clients, or external sources within a sandbox or isolated workstation before opening them on production systems. CAD formats should be treated with the same level of caution as executables until their provenance is verified.
• Run Simcenter Femap using Windows accounts with reduced privileges. Avoiding administrative profiles for design tasks ensures that an RCE event is limited in its ability to establish persistence or move laterally across the network.
• Segment engineering workstations into dedicated network zones with controlled access to PLM servers and storage. Isolating CAD traffic from the general corporate network limits the potential for propagation following a compromise.

The vulnerability in Simcenter Femap is symptomatic of a structural issue: engineering workstations manage high-value strategic data but are often defended with security logic designed for general office tasks. As long as CAD files circulate freely as seemingly harmless attachments, the IPT format will remain a preferred vector for targeting the digital supply chain. Siemens has provided a patch, but the true measure of security will be the speed at which IT departments in the manufacturing sector can deploy it across often-isolated or slowly-updated workstations.

Frequently Asked Questions

Does this vulnerability affect users who do not use IPT files?

No. Current evidence indicates the flaw is specifically triggered during the parsing of IPT format files via the Datakit library. Users who do not import this format into their environment are not exposed to this specific vector, though keeping software updated remains a best practice.

Why is the CVSS score 7.8 if the attack requires user interaction?

The required interaction is minimal and highly plausible in real-world engineering contexts where opening CAD attachments is routine. Furthermore, execution within the current process context provides immediate access to design data and network resources, resulting in a high impact on confidentiality and integrity.

Are there known Indicators of Compromise (IoCs) for this flaw?

At the time of publication, no analyzed sources have reported specific IoCs, hash samples, or evidence of active exploitation in the wild. This lack of visibility makes proactive patching and network segregation the primary lines of defense.

Sources

• https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-05
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-01
• https://windowsnews.ai/article/siemens-simcenter-femap-cve-2025-12659-critical-heap-overflow-fix-for-ipt-files.418275