CVE-2025-40936 is an out-of-bounds read vulnerability classified under CWE-125, found in the Siemens PS/IGES Parasolid Translator Component, which is integrated into Siemens Solid Edge CAD software. This vulnerability exists in all versions prior to V29.0.258 of the component and Solid Edge versions before V226.00 Update 03. The issue occurs when the software parses specially crafted IGS (Initial Graphics Exchange Specification) files, a common CAD file format used for exchanging 3D models. The out-of-bounds read can lead to memory corruption, which attackers can leverage to cause application crashes (denial of service) or execute arbitrary code with the privileges of the user running the application. The CVSS 3.1 score of 7.8 reflects a high severity, with attack vector being local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No public exploits are currently known, but the vulnerability's nature makes it a critical concern for environments relying on Siemens CAD tools. The vulnerability was reserved in April 2025 and published in November 2025, indicating recent discovery and disclosure. Siemens has not yet provided patch links, suggesting patches may be forthcoming or in development.

For European organizations, especially those in manufacturing, automotive, aerospace, and engineering sectors that heavily rely on Siemens Solid Edge and Parasolid components for CAD and product design, this vulnerability poses significant risks. Successful exploitation could lead to unauthorized code execution, potentially allowing attackers to manipulate design files, steal intellectual property, or disrupt engineering workflows. The ability to crash applications can cause operational downtime, impacting productivity and project timelines. Given the high confidentiality and integrity impact, sensitive design data could be exposed or altered, undermining competitive advantage and compliance with data protection regulations such as GDPR. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, as phishing or social engineering could be used to trick users into opening malicious IGS files. The lack of known exploits currently provides a window for proactive mitigation before widespread attacks occur.

1. Apply Siemens-provided patches immediately once available for PS/IGES Parasolid Translator Component and Solid Edge software to remediate the vulnerability. 2. Until patches are released, restrict the import and opening of IGS files from untrusted or unknown sources to reduce exposure. 3. Implement application whitelisting and sandboxing to limit the impact of potential code execution within the CAD environment. 4. Educate users on the risks of opening unsolicited or suspicious CAD files, emphasizing caution with IGS files received via email or external media. 5. Monitor systems for unusual application crashes or behaviors that could indicate exploitation attempts. 6. Employ endpoint detection and response (EDR) tools to detect anomalous process activities related to Solid Edge. 7. Coordinate with Siemens support and subscribe to their security advisories for timely updates. 8. Review and enforce least privilege principles for users running CAD software to minimize potential damage from exploitation.