CVE-2025-40764: 
Siemens Simcenter Femap vulnerability analysis and mitigation

A vulnerability (CVE-2025-40764) has been identified in Siemens Simcenter Femap software, specifically affecting versions V2406 (All versions < V2406.0003) and V2412 (All versions < V2412.0002). The vulnerability was discovered in August 2025 and involves an out-of-bounds read vulnerability while parsing specially crafted BMP files (Siemens Advisory, CISA Advisory).

The vulnerability is classified as an out-of-bounds read (CWE-125) that occurs during the parsing of BMP files. It has received a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 score of 7.3 (HIGH) with the vector string CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (Siemens Advisory).

Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process. The vulnerability affects critical manufacturing sectors worldwide, with potential impacts on confidentiality, integrity, and availability of the affected systems (CISA Advisory).

Siemens has released updates to address this vulnerability and recommends updating to V2406.0003 or later version for Simcenter Femap V2406, and V2412.0002 or later version for Simcenter Femap V2412. As a workaround, users are advised not to open untrusted BMP files in affected applications. Additionally, Siemens recommends protecting network access to devices with appropriate mechanisms and configuring the environment according to Siemens' operational guidelines for industrial security (Siemens Advisory).

The vulnerability was reported by security researcher Michael Heinzl to Siemens ProductCERT, demonstrating responsible disclosure practices in the security community (CISA Advisory).