Login Sign Up

CVE-2021-46157

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution through memory corruption when Simcenter Femap parses malicious NEU files. Attackers could execute arbitrary code with the privileges of the current user. Affects all versions of Simcenter Femap V2020.2 and V2021.1.

💻 Affected Systems

Products:
  • Simcenter Femap
Versions: V2020.2 (All versions), V2021.1 (All versions)
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the NEU file parser component; any configuration using affected versions is vulnerable.

📦 What is this software?

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or arbitrary code execution when a user opens a malicious NEU file, potentially leading to malware installation.

🟢

If Mitigated

Limited impact if file execution is restricted through application whitelisting and users don't process untrusted NEU files.

🌐 Internet-Facing: LOW - Femap is typically not internet-facing; exploitation requires file interaction.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or malicious files in shared locations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open a malicious NEU file; no authentication bypass needed beyond file access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to V2022.1 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf

Restart Required: Yes

Instructions:

1. Download latest version from Siemens support portal. 2. Install update following vendor instructions. 3. Restart system to complete installation.

🔧 Temporary Workarounds

Restrict NEU file handling

windows

Block or restrict processing of NEU files through application controls

User awareness training

all

Train users not to open NEU files from untrusted sources

🧯 If You Can't Patch

  • Implement application whitelisting to restrict Femap execution
  • Use network segmentation to isolate Femap systems from critical assets

🔍 How to Verify

Check if Vulnerable:

Check Femap version via Help > About; if version is V2020.2 or V2021.1, system is vulnerable.

Check Version:

Not applicable - check via GUI Help > About menu

Verify Fix Applied:

Verify version is V2022.1 or later in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected process crashes of femap.exe
  • Unusual file access patterns to NEU files

Network Indicators:

  • Unusual outbound connections from Femap processes

SIEM Query:

Process: femap.exe AND (EventID: 1000 OR EventID: 1001) OR FileAccess: *.neu FROM untrusted sources

📊 Metadata

CVE ID: CVE-2021-46157
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: February 9, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46157, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)