CVE-2025-23401: 
Siemens Tecnomatix Plant Simulation vulnerability analysis and mitigation

A vulnerability (CVE-2025-23401) has been identified in multiple versions of Siemens Teamcenter Visualization and Tecnomatix Plant Simulation software. The vulnerability was discovered on March 11, 2025, and affects various versions of these applications, including Teamcenter Visualization V14.3, V2312, V2406, V2412, and Tecnomatix Plant Simulation V2302 and V2404. The vulnerability involves an out-of-bounds read past the end of an allocated structure while parsing specially crafted WRL files (Siemens Advisory).

The vulnerability is classified as an out-of-bounds read (CWE-125) that occurs when parsing WRL files. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 base score of 7.3 with the vector string CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (CISA Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute code in the context of the current process. The vulnerability requires user interaction, specifically opening a maliciously crafted WRL file, which could lead to arbitrary code execution or application crashes (Siemens Advisory).

Siemens has released updates for all affected products and recommends updating to the latest versions: Teamcenter Visualization V14.3 to V14.3.0.13 or later, V2312 to V2312.0009 or later, V2406 to V2406.0007 or later, V2412 to V2412.0002 or later, Tecnomatix Plant Simulation V2302 to V2302.0021 or later, and V2404 to V2404.0010 or later. As a workaround, users are advised not to open untrusted WRL files in affected applications (Siemens Advisory).