CVE-2026-23717

High

Published: 10 February 2026

Published

10 February 2026

Modified

11 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23717 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Siemens Simcenter Femap. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of flaws such as this out-of-bounds read in Simcenter Femap and Nastran by applying vendor patches from the Siemens advisory.

SI-16 Memory Protection good match

prevent

SI-16 implements memory protection mechanisms like ASLR and DEP that directly mitigate exploitation of out-of-bounds read vulnerabilities leading to code execution.

SI-10 Information Input Validation partial match

prevent

SI-10 mandates validation of information inputs such as specially crafted XDB files to prevent parsing errors that trigger the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Out-of-bounds read in XDB file parser enables arbitrary code execution upon opening a crafted file, directly facilitating T1204.002 User Execution: Malicious File.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability has been identified in Simcenter Femap (All versions < V2512), Simcenter Nastran (All versions < V2512). The affected applications contains an out of bounds read vulnerability while parsing specially crafted XDB files. This could allow an attacker to…

execute code in the context of the current process.

Deeper analysisAI

CVE-2026-23717 is an out-of-bounds read vulnerability (CWE-125) affecting Simcenter Femap and Simcenter Nastran in all versions prior to V2512. The flaw is triggered when the applications parse specially crafted XDB files, potentially leading to code execution in the context of the current process. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) upon its publication on 2026-02-10.

A local attacker requires no privileges but must rely on user interaction, such as tricking a user into opening a malicious XDB file within the affected applications. Low attack complexity enables exploitation, resulting in high impacts on confidentiality, integrity, and availability through arbitrary code execution in the process context.

Mitigation details are available in the Siemens ProductCERT advisory at https://cert-portal.siemens.com/productcert/html/ssa-965753.html.

Details

CWE(s): CWE-125

Affected Products

siemens

simcenter femap

≤ 2512.0000

siemens

simcenter nastran

≤ 2512.0000

CVEs Like This One

CVE-2026-23716Same product: Siemens Simcenter Femap

CVE-2026-23718Same product: Siemens Simcenter Femap

CVE-2026-23720Same product: Siemens Simcenter Femap

CVE-2026-23715Same product: Siemens Simcenter Femap

CVE-2026-23719Same product: Siemens Simcenter Femap

CVE-2025-25175Same product: Siemens Simcenter Femap

CVE-2025-23399Same vendor: Siemens

CVE-2025-23401Same vendor: Siemens

CVE-2025-27438Same vendor: Siemens

CVE-2026-22923Same vendor: Siemens

References

https://cert-portal.siemens.com/productcert/html/ssa-965753.html
Vendor Advisory · productcert@siemens.com