CVE-2025-40936 identifies a critical out-of-bounds read vulnerability in the Siemens PS/IGES Parasolid Translator Component, which is used to parse IGS files—a common CAD file format. The vulnerability arises from improper bounds checking during the parsing process, allowing specially crafted IGS files to trigger reads outside the allocated memory buffer. This can lead to application crashes (denial of service) or, more severely, arbitrary code execution within the context of the running process. The vulnerability affects all versions prior to V29.0.258, with no patches currently publicly available. Exploitation requires local access and user interaction, as the attacker must supply a malicious IGS file to the vulnerable application. The CVSS 3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. The flaw is tracked under CWE-125 (out-of-bounds read) and was reserved in April 2025, with publication in November 2025. Although no known exploits are reported in the wild, the potential for code execution makes this a significant threat, especially for organizations relying on Siemens' CAD tools in engineering and manufacturing workflows.

For European organizations, especially those in manufacturing, automotive, aerospace, and industrial engineering sectors that rely heavily on Siemens CAD and CAE software incorporating the PS/IGES Parasolid Translator Component, this vulnerability poses a substantial risk. Successful exploitation can lead to unauthorized code execution, potentially allowing attackers to manipulate design files, steal intellectual property, or disrupt engineering operations. The ability to crash applications can cause denial of service, impacting productivity and project timelines. Given the critical nature of design data in these industries, confidentiality breaches could result in significant financial and reputational damage. Furthermore, compromised systems could serve as footholds for further lateral movement within corporate networks. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, particularly in environments where users handle untrusted CAD files or collaborate with external partners. The absence of known exploits currently provides a window for proactive mitigation.

1. Immediately plan to upgrade the PS/IGES Parasolid Translator Component to version V29.0.258 or later once Siemens releases the patch. 2. Until patched, implement strict controls on the handling of IGS files, including blocking or quarantining files from untrusted sources. 3. Employ application whitelisting and sandboxing techniques to isolate the vulnerable component and limit the impact of potential exploitation. 4. Educate users about the risks of opening untrusted CAD files and enforce policies to verify file origins before use. 5. Monitor system and application logs for unusual crashes or behaviors indicative of exploitation attempts. 6. Restrict local access to systems running the vulnerable software to trusted personnel only. 7. Coordinate with Siemens support and subscribe to their security advisories for timely updates. 8. Consider network segmentation to limit the spread of compromise from affected endpoints. 9. Conduct vulnerability scanning and penetration testing focused on CAD environments to identify exposure. 10. Maintain robust backup and recovery procedures for critical design data to mitigate impact from denial-of-service conditions.