CVE-2025-23398

CVE-2025-23398 is a memory corruption vulnerability (CWE-119) affecting multiple versions of Siemens Teamcenter Visualization and Tecnomatix Plant Simulation software. Specifically, it impacts Teamcenter Visualization V14.3 (all versions prior to V14.3.0.13), V2312 (prior to V2312.0009), V2406 (prior to V2406.0007), and V2412 (prior to V2412.0002), as well as Tecnomatix Plant Simulation V2302 (prior to V2302.0021) and V2404 (prior to V2404.0010). The flaw occurs while parsing specially crafted WRL files, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). It was published on 2025-03-11.

A local attacker can exploit this vulnerability by tricking a user into opening a maliciously crafted WRL file in the affected application. No privileges are required (PR:N), but user interaction is necessary (UI:R), and the attack has low complexity (AC:L). Successful exploitation allows arbitrary code execution in the context of the current process, potentially leading to high-impact confidentiality, integrity, and availability compromises within the local user's session.

The Siemens product CERT advisory at https://cert-portal.siemens.com/productcert/html/ssa-050438.html provides details on mitigation, recommending updates to the patched versions listed above or later to address the vulnerability.