CVE-2025-23401

CVE-2025-23401 is an out-of-bounds read vulnerability (CWE-125) identified in multiple versions of Siemens Teamcenter Visualization and Tecnomatix Plant Simulation. It affects Teamcenter Visualization V14.3 (all versions prior to V14.3.0.13), V2312 (all versions prior to V2312.0009), V2406 (all versions prior to V2406.0007), and V2412 (all versions prior to V2412.0002), as well as Tecnomatix Plant Simulation V2302 (all versions prior to V2302.0021) and V2404 (all versions prior to V2404.0010). The issue arises during parsing of specially crafted WRL files, which can trigger an out-of-bounds read past the end of an allocated structure. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H).

An attacker with local access can exploit this vulnerability by tricking a user into opening a maliciously crafted WRL file in one of the affected applications. No special privileges are required (PR:N), and the attack has low complexity (AC:L), though it relies on user interaction (UI:R). Successful exploitation enables arbitrary code execution in the context of the current process, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) without scope change.

Siemens Product CERT advisory SSA-050438 details mitigations for CVE-2025-23401, including patches for the specified versions. Security practitioners should review the advisory at https://cert-portal.siemens.com/productcert/html/ssa-050438.html for patching instructions, version-specific updates, and additional guidance on securing affected environments.