Siemens Simcenter Femap IPT File Parsing Vulnerability Allows Remote Code Execution
A memory corruption vulnerability in Siemens Simcenter Femap's IPT file parsing (CVE-2025-12659) allows remote code execution, requiring user interaction to open a malicious file.
A critical vulnerability has been disclosed in Siemens Simcenter Femap, a popular computer-aided engineering (CAE) software used for finite element modeling. The flaw, tracked as CVE-2025-12659 and assigned a CVSS score of 7.8, resides in the parsing of IPT files and can lead to memory corruption, enabling remote code execution in the context of the current process.
The vulnerability was reported by researcher Rocco Calvi (@TecR0c) of TecSecurity and publicly disclosed on May 12, 2026, through the Zero Day Initiative (ZDI-26-316). The issue stems from improper validation of user-supplied data within IPT files, which can trigger a memory corruption condition. An attacker can exploit this by convincing a user to open a specially crafted IPT file, potentially gaining full control over the affected system.
Siemens has released a security advisory (SSA-870926) addressing the vulnerability, and CISA has issued an ICS advisory (ICSA-26-134-05) to alert critical infrastructure operators. The advisory recommends users apply the latest updates from Siemens to mitigate the risk. As of disclosure, no active exploitation in the wild has been reported, but the availability of technical details increases the likelihood of exploit development.
Simcenter Femap is widely used in industries such as automotive, aerospace, and manufacturing for structural analysis and simulation. The vulnerability affects all versions of the software prior to the patch, making it a significant concern for organizations relying on this tool. Given the high impact on confidentiality, integrity, and availability, users are urged to prioritize patching.
This disclosure follows a coordinated timeline: the vulnerability was reported to Siemens on August 21, 2025, and the advisory was updated on May 15, 2026. The case highlights the ongoing risks associated with file parsing in engineering software, where complex file formats often harbor memory safety issues. Users should exercise caution when opening IPT files from untrusted sources and ensure their software is up to date.