Login Sign Up

CVE-2022-28663

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution through specially crafted .NEU files in Simcenter Femap. Attackers can exploit an out-of-bounds write vulnerability to execute arbitrary code with the privileges of the current user. All Simcenter Femap users with versions before V2022.1.2 are affected.

💻 Affected Systems

Products:
  • Simcenter Femap
Versions: All versions < V2022.1.2
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is triggered when parsing .NEU files, which are Femap neutral files used for data exchange.

📦 What is this software?

Simcenter Femap by Siemens

View all CVEs affecting Simcenter Femap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or arbitrary code execution when a user opens a malicious .NEU file, potentially leading to data exfiltration or malware installation.

🟢

If Mitigated

Limited impact through application sandboxing or restricted user privileges, potentially causing only application crashes or denial of service.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open a malicious file. No public exploit code is available as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V2022.1.2

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-998762.pdf

Restart Required: Yes

Instructions:

1. Download Simcenter Femap V2022.1.2 or later from Siemens support portal. 2. Run the installer with administrative privileges. 3. Follow installation wizard prompts. 4. Restart the system after installation completes.

🔧 Temporary Workarounds

Restrict .NEU file handling

windows

Block or restrict opening of .NEU files through application control policies or file extension filtering.

User awareness training

all

Train users to only open .NEU files from trusted sources and verify file integrity before opening.

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized code
  • Run Femap with least privilege user accounts to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check Femap version via Help > About menu. If version is below V2022.1.2, system is vulnerable.

Check Version:

Not applicable - check via GUI Help > About menu

Verify Fix Applied:

Verify installed version is V2022.1.2 or higher in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when opening .NEU files
  • Unexpected process creation from femap.exe

Network Indicators:

  • Unusual outbound connections from Femap process

SIEM Query:

Process creation where parent_process contains 'femap.exe' AND command_line contains suspicious patterns

📊 Metadata

CVE ID: CVE-2022-28663
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: April 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28663, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)