CISA has released ICS Advisory ICSA-26-134-05 regarding a critical vulnerability in Siemens Simcenter Femap, a widely used engineering simulation solution for the Critical Manufacturing sector. The vulnerability, tracked as a heap-based buffer overflow in the Datakit library, allows attackers to execute arbitrary code simply by convincing a user to open a maliciously crafted file in IPT format. Given the high volume of file sharing in engineering workflows and the privileged access engineers often have to design data, this vulnerability represents a significant vector for initial access or lateral movement. Defenders in OT and industrial environments must prioritize patching to disrupt potential attack chains targeting intellectual property and operational continuity.
Technical Analysis
Affected Products & Versions:
- Product: Siemens Simcenter Femap
- Affected Versions: All versions prior to
2512.0003 - Vulnerability Type: Heap-based Buffer Overflow (CWE-122)
- Component: Datakit library (responsible for parsing third-party CAD formats)
- CVSS v3 Score: 7.8 (High)
Mechanism of Exploitation: The vulnerability lies in how the Datakit library processes IPT files (a proprietary format used by Autodesk Inventor). When Simcenter Femap parses an IPT file, inadequate bounds checking in the Datakit library leads to a heap-based buffer overflow.
From an attacker's perspective, the chain is:
- Delivery: A phishing email or supply-chain compromise delivers a malicious
.iptfile. - Trigger: An engineer or analyst opens the file within Simcenter Femap.
- Exploitation: The buffer overflow corrupts memory, potentially bypassing DEP/ASLR to redirect execution flow.
- Execution: Arbitrary code runs in the context of the
femap.exeprocess. Since engineers often run with local administrative rights to maintain legacy simulation tools, this frequently results in privileged code execution.
Exploitation Status:
While CISA has not confirmed active exploitation in the wild at the time of this advisory, the nature of the vulnerability (user interaction required, high-value target, common file type) makes it a prime candidate for targeted campaigns. The availability of a patch (2512.0003) reduces the barrier for reverse engineering, increasing the likelihood of PoC exploit development in the short term.
Detection & Response
Detecting client-side application exploitation requires shifting focus from network indicators to process behavior. A CAD application spawning a shell is a definitive anomaly.
SIGMA Rules
---
title: Simcenter Femap Spawning Windows Shell
id: 8b8e9d12-4c3a-4f5b-9e1d-2f3c4d5e6f7a
status: experimental
description: Detects Simcenter Femap spawning cmd.exe or powershell.exe, indicative of successful RCE or macro execution.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-05
author: Security Arsenal
date: 2025/04/26
tags:
- attack.execution
- attack.t1204
- cve.2025.26134
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\femap.exe'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: all of selection_*
falsepositives:
- Legitimate engineering automation scripts (rare)
level: high
---
title: Simcenter Femap Spawning Scripting Hosts
id: 9c9f0e23-5d4b-5g6c-0f2e-3g4d5e6f7g8b
status: experimental
description: Detects Simcenter Femap spawning cscript.exe or wscript.exe, often used for secondary payloads.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-05
author: Security Arsenal
date: 2025/04/26
tags:
- attack.execution
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\femap.exe'
selection_child:
Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
condition: all of selection_*
falsepositives:
- Legitimate automation workflows
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for suspicious child processes spawned by Simcenter Femap
DeviceProcessEvents
| where InitiatingProcessFileName =~ "femap.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "mshta.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc
Velociraptor VQL
-- Hunt for abnormal child processes of Simcenter Femap
SELECT Parent.Name AS ParentProcess, Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Parent.Name =~ "femap.exe"
AND Name IN ("cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe")
Remediation Script
# Check Simcenter Femap Version and Remediation Status
$FixedVersion = [version]"2512.0003"
$VulnerableFound = $false
# Common installation paths for Simcenter Femap
$Paths = @(
"C:\Program Files\Siemens\Simcenter Femap\",
"C:\Program Files (x86)\Siemens\Simcenter Femap\"
)
Write-Host "[+] Scanning for Simcenter Femap installations..." -ForegroundColor Cyan
foreach ($Path in $Paths) {
if (Test-Path $Path) {
$FemapExe = Get-ChildItem -Path $Path -Filter "femap.exe" -Recurse -ErrorAction SilentlyContinue
if ($FemapExe) {
foreach ($Exe in $FemapExe) {
try {
$VersionInfo = $Exe.VersionInfo.FileVersion
# Normalize version string for comparison if necessary (e.g. 202x.x)
# Note: Siemens Femap versions often map format 202x.x to internal build numbers.
# This script checks against the specific fixed version string mentioned in advisory.
Write-Host " Found: $($Exe.FullName)"
Write-Host " Version: $VersionInfo" -ForegroundColor Yellow
# Logic: If we cannot parse strictly, alert for manual verification if < 2512.0003
# Assuming standard version comparison logic applies to detected version string
if ($VersionInfo -lt $FixedVersion.ToString()) {
Write-Host " [!] VULNERABLE: Version is below 2512.0003." -ForegroundColor Red
$VulnerableFound = $true
} else {
Write-Host " [OK] Version meets patch requirement." -ForegroundColor Green
}
}
catch {
Write-Host " [ERROR] Could not read version info for $($Exe.FullName)" -ForegroundColor Red
}
}
}
}
}
if (-not $VulnerableFound) {
Write-Host "[+] No vulnerable versions detected in standard paths." -ForegroundColor Green
} else {
Write-Host "[!] ACTION REQUIRED: Update vulnerable instances to version 2512.0003 or newer." -ForegroundColor Red
}
Remediation
Immediate Actions:
- Patch Application: Siemens has released version
2512.0003to address this vulnerability. Update all instances of Simcenter Femap to this version or later immediately.- Vendor Advisory: Refer to the Siemens Security Advisory for download links and installation instructions.
- File Filtering: If patching is delayed, implement email gateway and DLP rules to quarantine or block incoming
.iptfiles from untrusted external sources. While this impacts engineering workflows, it is a necessary temporary control. - User Awareness: Notify engineering and design teams about the risk of opening unsolicited CAD files, specifically IPT formats, even from known internal contacts if their accounts may be compromised.
- Principle of Least Privilege: Ensure users operating Simcenter Femap do not have local administrator privileges unless strictly necessary. This limits the impact of the
femap.exeprocess context.
Official References:
- CISA Advisory: ICSA-26-134-05
- Siemens ProductCERT: SSA-459345
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.