CVE-2025-40936 is an out-of-bounds read vulnerability classified under CWE-125 found in the Siemens PS/IGES Parasolid Translator Component, affecting all versions prior to V29.0.258. This component is responsible for parsing IGS (Initial Graphics Exchange Specification) files, commonly used in CAD and engineering applications for 3D model data exchange. The vulnerability arises when the parser processes specially crafted IGS files that cause it to read memory beyond the intended buffer boundaries. This memory corruption can lead to application crashes (denial of service) or, more critically, arbitrary code execution within the context of the running process. The CVSS 3.1 score of 7.8 reflects a high severity, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No public exploit code is known at this time, but the vulnerability poses a significant risk due to the potential for remote code execution if an attacker can trick a user into opening a malicious IGS file. Siemens’ PS/IGES Parasolid Translator Component is widely used in industrial design and manufacturing software suites, making this vulnerability relevant to organizations relying on Siemens CAD tools. The vulnerability was reserved in April 2025 and published in November 2025, but no patch links are currently available, indicating that remediation may still be pending or in progress.

For European organizations, especially those in manufacturing, automotive, aerospace, and industrial automation sectors, this vulnerability poses a critical risk. Siemens software is widely deployed across Europe, particularly in Germany, France, Italy, and the UK, where industrial engineering and manufacturing are key economic sectors. Exploitation could lead to unauthorized code execution, allowing attackers to compromise intellectual property, disrupt design processes, or pivot within internal networks. The ability to crash applications also risks operational downtime and loss of productivity. Confidentiality breaches could expose sensitive design data, while integrity violations could corrupt engineering files, leading to flawed manufacturing outputs. Given the local attack vector and requirement for user interaction, the threat is more likely to arise from targeted phishing or insider threats delivering malicious IGS files. However, the high impact on all security dimensions makes this vulnerability a significant concern for critical infrastructure and industrial control environments in Europe.

Organizations should prioritize updating the PS/IGES Parasolid Translator Component to version V29.0.258 or later once Siemens releases the patch. Until a patch is available, restrict the processing of IGS files from untrusted or unknown sources by implementing strict file validation and sandboxing techniques. Employ application whitelisting and endpoint detection to monitor and block suspicious file parsing activities. Educate users about the risks of opening unsolicited or unexpected IGS files, particularly from external sources. Network segmentation can limit the impact of a compromised system. Additionally, consider deploying runtime application self-protection (RASP) or behavior-based anomaly detection to identify exploitation attempts. Regularly audit and update Siemens software components and maintain an inventory of affected products to ensure timely patch management. Collaborate with Siemens support channels for early access to patches or mitigations and monitor threat intelligence feeds for emerging exploit information.