CVE-2021-46153
📋 TL;DR
This vulnerability allows remote code execution through memory corruption when Simcenter Femap parses malicious NEU files. Attackers can execute arbitrary code with the privileges of the current user. Affects all versions of Simcenter Femap V2020.2 and V2021.1.
💻 Affected Systems
- Simcenter Femap
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via remote code execution leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation or arbitrary code execution when a user opens a malicious NEU file, potentially leading to data exfiltration or malware installation.
If Mitigated
Limited impact if proper file validation and user privilege restrictions are in place, though file parsing vulnerabilities remain dangerous.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious NEU file; multiple ZDI advisories suggest mature research but no public exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to V2022.1 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf
Restart Required: Yes
Instructions:
1. Download latest Simcenter Femap version from Siemens support portal. 2. Install update following vendor instructions. 3. Restart system to ensure changes take effect.
🔧 Temporary Workarounds
Restrict NEU file handling
windowsBlock or restrict opening of NEU files via application whitelisting or file extension policies
Windows Group Policy: Configure Software Restriction Policies or AppLocker to block .neu files
User awareness training
allTrain users to avoid opening NEU files from untrusted sources
🧯 If You Can't Patch
- Implement strict file validation: Only allow NEU files from trusted sources with digital signatures
- Run Femap with minimal user privileges to limit potential damage from exploitation
🔍 How to Verify
Check if Vulnerable:
Check Femap version: Open Femap → Help → About → Verify version is V2020.2 or V2021.1Check Version:
Not applicable (GUI application)Verify Fix Applied:
Confirm version is V2022.1 or later in Help → About dialog📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of femap.exe
- Suspicious child processes spawned from femap.exe
Network Indicators:
- Unusual outbound connections from femap.exe process
SIEM Query:
Process creation where parent_process contains 'femap.exe' AND (process_name contains 'cmd.exe' OR process_name contains 'powershell.exe')🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf
- https://www.zerodayinitiative.com/advisories/ZDI-22-297/
- https://www.zerodayinitiative.com/advisories/ZDI-22-298/
- https://www.zerodayinitiative.com/advisories/ZDI-22-299/
- https://www.zerodayinitiative.com/advisories/ZDI-22-300/
- https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf
- https://www.zerodayinitiative.com/advisories/ZDI-22-297/
- https://www.zerodayinitiative.com/advisories/ZDI-22-298/
- https://www.zerodayinitiative.com/advisories/ZDI-22-299/
- https://www.zerodayinitiative.com/advisories/ZDI-22-300/
