Siemens Simcenter Femap Zero-Day Allows Remote Code Execution via Malicious IPT Files
A memory corruption vulnerability in Siemens Simcenter Femap, tracked as CVE-2025-12659, allows remote attackers to execute arbitrary code by tricking users into opening specially crafted IPT files.
Siemens has disclosed a critical vulnerability in its Simcenter Femap software that could allow remote attackers to execute arbitrary code on affected systems. The flaw, assigned CVE-2025-12659 and reported by researcher Rocco Calvi of TecSecurity, resides in the parsing of IPT files and stems from improper validation of user-supplied data, leading to a memory corruption condition.
The vulnerability, detailed in an advisory from the Zero Day Initiative (ZDI-26-317), carries a CVSS score of 7.8 and requires user interaction to exploit. An attacker must convince a target to open a malicious IPT file or visit a compromised page hosting the exploit. Once triggered, the memory corruption condition enables code execution within the context of the current process, potentially giving the attacker the same privileges as the logged-in user.
Simcenter Femap is a widely used computer-aided engineering (CAE) tool for finite element modeling and simulation, deployed across manufacturing, aerospace, and automotive industries. The software's reliance on IPT files for importing geometry and assembly data makes it a prime target for supply-chain-style attacks, where adversaries could embed malicious files in shared project repositories or email attachments.
Siemens has released a security advisory (SSA-870926) addressing the vulnerability, and CISA has published an ICS advisory (ICSA-26-134-05) urging organizations to apply mitigations. The disclosure timeline shows the vulnerability was reported to Siemens on August 12, 2025, with coordinated public release on May 12, 2026. An advisory update followed on May 15, 2026.
No active exploitation has been reported in the wild as of the advisory date, but the availability of technical details increases the risk of weaponization. Organizations using Simcenter Femap should prioritize applying the vendor-supplied patch or implementing recommended workarounds, such as restricting file type associations and user permissions.
This disclosure highlights the ongoing challenge of securing complex engineering software that parse complex file parsing vulnerabilities remain a common vector for remote code execution, particularly in engineering and design software where complex file formats are exchanged regularly. Users are advised to exercise caution when opening IPT files from untrusted sources.