CVE-2026-23718

High

Published: 10 February 2026

Published

10 February 2026

Modified

11 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23718 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Siemens Simcenter Femap. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching of the out-of-bounds read vulnerability in Simcenter Femap and Nastran versions prior to V2512 to prevent exploitation via malicious NDB files.

SI-10 Information Input Validation good match

prevent

Requires validation of NDB file inputs to block specially crafted files that trigger the out-of-bounds read leading to code execution.

SI-16 Memory Protection partial match

prevent

Implements memory protections like DEP and ASLR to mitigate arbitrary code execution from the out-of-bounds read vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Local file parsing vulnerability in desktop application enables arbitrary code execution upon user opening a malicious NDB file.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability has been identified in Simcenter Femap (All versions < V2512), Simcenter Nastran (All versions < V2512). The affected applications contains an out of bounds read vulnerability while parsing specially crafted NDB files. This could allow an attacker to…

execute code in the context of the current process.

Deeper analysisAI

CVE-2026-23718 is an out-of-bounds read vulnerability (CWE-125) present in Simcenter Femap and Simcenter Nastran, affecting all versions prior to V2512. The flaw arises during the parsing of specially crafted NDB files, which can lead to code execution in the context of the current process. The vulnerability received a CVSS v3.1 base score of 7.8.

Exploitation requires local access (AV:L) with low complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), such as convincing a user to open a malicious NDB file in the affected application. A successful attack enables arbitrary code execution with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), all within the unchanged security scope (S:U).

Siemens' security advisory (SSA-965753) at https://cert-portal.siemens.com/productcert/html/ssa-965753.html details mitigation steps for this issue.

Details

CWE(s): CWE-125

Affected Products

siemens

simcenter femap

≤ 2512.0000

siemens

simcenter nastran

≤ 2512.0000

CVEs Like This One

CVE-2026-23716Same product: Siemens Simcenter Femap

CVE-2026-23717Same product: Siemens Simcenter Femap

CVE-2026-23720Same product: Siemens Simcenter Femap

CVE-2026-23715Same product: Siemens Simcenter Femap

CVE-2026-23719Same product: Siemens Simcenter Femap

CVE-2025-25175Same product: Siemens Simcenter Femap

CVE-2025-23399Same vendor: Siemens

CVE-2025-23401Same vendor: Siemens

CVE-2025-27438Same vendor: Siemens

CVE-2026-22923Same vendor: Siemens

References

https://cert-portal.siemens.com/productcert/html/ssa-965753.html
Vendor Advisory · productcert@siemens.com