CVE-2022-28663: 
Siemens Simcenter Femap vulnerability analysis and mitigation

A vulnerability has been identified in Simcenter Femap (All versions < V2022.1.2). The vulnerability, tracked as CVE-2022-28663, was discovered by researcher xina1i working with Trend Micro Zero Day Initiative (ZDI-CAN-15592). The issue was reported to the vendor on December 15, 2021, and was publicly disclosed on April 28, 2022 (ZDI Advisory, CISA Advisory).

The vulnerability is classified as an Out-of-bounds Write (CWE-787) that occurs while parsing specially crafted .NEU files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH with the vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of the affected system (CISA Advisory).

Siemens has released version 2022.1.2 to address this vulnerability. Users are recommended to update to this version or later. As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms and configuring the environment according to Siemens' operational guidelines for industrial security (CISA Advisory).