CVE-2025-40762 is a high-severity vulnerability identified in Siemens Simcenter Femap software versions prior to V2406.0003 and V2412.0002. The vulnerability is classified as CWE-787, an out-of-bounds write flaw, which occurs during the parsing of specially crafted STP (STEP) files. STP files are standard data exchange files used in CAD and engineering applications for 3D modeling data. The out-of-bounds write means that the software writes data outside the allocated memory boundaries, potentially corrupting memory and enabling an attacker to execute arbitrary code within the context of the affected process. The CVSS v3.1 base score is 7.8, indicating high severity, with an attack vector of local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact on confidentiality, integrity, and availability is high, as successful exploitation can lead to full code execution, potentially allowing an attacker to take control of the system running Simcenter Femap. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in April 2025 and published in August 2025. Siemens Simcenter Femap is widely used in engineering and manufacturing sectors for finite element analysis and simulation, making this vulnerability particularly relevant to organizations relying on these tools for product design and testing.

For European organizations, the impact of this vulnerability could be significant, especially for those in aerospace, automotive, manufacturing, and industrial engineering sectors where Siemens Simcenter Femap is commonly deployed. Exploitation could lead to unauthorized code execution, potentially resulting in intellectual property theft, sabotage of design data, or disruption of critical engineering workflows. Given the local attack vector and requirement for user interaction, the threat may arise from targeted spear-phishing campaigns delivering malicious STP files or insider threats. The compromise of engineering workstations could cascade into broader network compromise if attackers leverage lateral movement techniques. This risk is heightened in environments where engineering data is sensitive or regulated, such as defense contractors or companies subject to GDPR and other data protection regulations. Disruption or manipulation of simulation results could also have safety implications if flawed designs are produced or approved based on compromised data integrity.

Organizations should implement several specific mitigations beyond generic patching advice: 1) Restrict the handling of STP files to trusted sources only, employing strict file validation and sandboxing when opening such files in Simcenter Femap. 2) Enforce the principle of least privilege on user accounts running Simcenter Femap to limit the impact of potential code execution. 3) Deploy application whitelisting and endpoint detection and response (EDR) solutions to detect anomalous behaviors indicative of exploitation attempts. 4) Educate users, particularly engineers and designers, about the risks of opening unsolicited or unexpected STP files, emphasizing the need for caution with file attachments and downloads. 5) Monitor network and host logs for unusual activity related to Simcenter Femap processes. 6) Prepare for rapid patch deployment once Siemens releases official fixes, and consider temporary workarounds such as disabling STP file parsing if feasible. 7) Implement network segmentation to isolate engineering workstations from critical infrastructure to contain potential breaches.