CVE-2024-24921: 
Siemens Simcenter Femap vulnerability analysis and mitigation

CVE-2024-24921 affects Simcenter Femap (versions prior to V2401.0000). The vulnerability is related to memory corruption while parsing specially crafted Catia MODEL files. This security flaw was discovered and reported through the Zero Day Initiative (ZDI-CAN-21712) (Vendor Advisory, ZDI Advisory).

The vulnerability is classified as an Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119). It has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 Base Score of 7.3 with the vector string CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (CISA Advisory, Vendor Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. The vulnerability requires user interaction, specifically opening a malicious file, to be exploited (ZDI Advisory, Vendor Advisory).

Siemens has released version V2401.0000 to address this vulnerability. Users are recommended to update to this version or later. Additionally, Siemens recommends not opening untrusted Catia MODEL files using Simcenter Femap. As a general security measure, it's advised to protect network access to devices with appropriate mechanisms and configure the environment according to Siemens' operational guidelines for Industrial Security (Vendor Advisory).