CVE-2022-28661: 
Siemens Simcenter Femap vulnerability analysis and mitigation

A vulnerability has been identified in Simcenter Femap (All versions < V2022.1.2) that involves an out-of-bounds read past the end of an allocated buffer while parsing specially crafted .NEU files. This vulnerability, tracked as CVE-2022-28661, was discovered and reported through the Zero Day Initiative (ZDI-CAN-15114) (CISA Advisory, NVD).

The vulnerability is classified as an out-of-bounds read (CWE-125) with a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The issue occurs when parsing specially crafted .NEU files, where the application reads beyond the allocated buffer boundaries (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute code in the context of the current process, potentially leading to unauthorized control over the affected system (CISA Advisory).

Siemens has released version 2022.1.2 to address this vulnerability. Users are recommended to update to this version or later. Additionally, Siemens advises not to open untrusted files in Simcenter Femap and to protect network access to devices with appropriate mechanisms (CISA Advisory).