Login Sign Up

CVE-2021-46161

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution through specially crafted NEU files in Simcenter Femap engineering software. Attackers can exploit an out-of-bounds write vulnerability to execute arbitrary code with the privileges of the current user. Organizations using affected Simcenter Femap versions for engineering analysis are at risk.

💻 Affected Systems

Products:
  • Simcenter Femap
Versions: V2020.2 (All versions), V2021.1 (All versions)
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when parsing malicious NEU files, which are native Femap format files.

📦 What is this software?

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to engineering data and system resources.

🟢

If Mitigated

Limited impact if proper file validation and least privilege principles are enforced.

🌐 Internet-Facing: LOW - This requires file parsing, typically not an internet-facing service.
🏢 Internal Only: HIGH - Engineering workstations often process external files and have elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open a malicious file. No public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to V2022.1 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf

Restart Required: Yes

Instructions:

1. Download latest Simcenter Femap version from Siemens support portal. 2. Install update following vendor instructions. 3. Restart affected systems.

🔧 Temporary Workarounds

Restrict NEU file processing

windows

Block or restrict processing of NEU files from untrusted sources

Run with reduced privileges

windows

Run Femap with standard user privileges instead of administrative rights

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized code
  • Use network segmentation to isolate engineering workstations from critical systems

🔍 How to Verify

Check if Vulnerable:

Check Femap version via Help > About menu. Vulnerable if version is 2020.2.x or 2021.1.x.

Check Version:

Not applicable - check via GUI Help > About menu

Verify Fix Applied:

Verify version is 2022.1 or later in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected process crashes of femap.exe
  • Suspicious file parsing errors in application logs

Network Indicators:

  • Unusual outbound connections from engineering workstations

SIEM Query:

Process: femap.exe AND (EventID: 1000 OR EventID: 1001) OR File: *.neu from untrusted sources

📊 Metadata

CVE ID: CVE-2021-46161
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: February 9, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46161, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)