CVE-2025-10884 Overview
CVE-2025-10884 is an out-of-bounds write vulnerability [CWE-787] affecting multiple Autodesk products that parse CATPART files. A maliciously crafted CATPART file, when opened in an affected Autodesk application, triggers memory corruption during parsing. Attackers can use this flaw to cause application crashes, corrupt data, or execute arbitrary code in the context of the current process.
The vulnerability requires local file access and user interaction. An attacker must convince a user to open a weaponized CATPART file, typically through social engineering or supply-chain delivery within engineering workflows. Autodesk published security advisory ADSK-SA-2025-0024 covering this issue across its 2026 product line.
Critical Impact
Arbitrary code execution in the context of the current user across the full Autodesk 2026 product portfolio, including AutoCAD, Revit, Inventor, 3ds Max, and Civil 3D.
Affected Products
- Autodesk Shared Components (parsing library used across the product family)
- Autodesk AutoCAD 2026 and AutoCAD verticals (Architecture, Electrical, Map 3D, Mechanical, MEP, Plant 3D)
- Autodesk Revit 2026, Revit LT 2026, Inventor 2026, 3ds Max 2026, Civil 3D 2026, Advance Steel 2026, InfraWorks 2026, and Vault 2026
Discovery Timeline
- 2025-12-16 - CVE-2025-10884 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-10884
Vulnerability Analysis
The flaw resides in the CATPART file parser within Autodesk Shared Components, a library reused across Autodesk's 2026 desktop applications. CATPART is the native part file format from Dassault Systèmes CATIA, and Autodesk products import it for interoperability with CAD workflows. Parsing routines fail to correctly validate size or offset fields embedded in the file, allowing a write operation to extend past the bounds of an allocated buffer.
Once out-of-bounds memory is corrupted, an attacker controlling the file contents can overwrite adjacent heap structures, function pointers, or object metadata. This typically leads to arbitrary code execution in the host application process running with the user's privileges.
Root Cause
The root cause is improper bounds checking during deserialization of CATPART structures, classified as CWE-787 (Out-of-bounds Write). The parser trusts length or index values read directly from attacker-controlled file content without enforcing buffer constraints before writing.
Attack Vector
Exploitation requires local file access and user interaction. A target user must open the malicious CATPART file in an affected Autodesk application. Delivery channels include phishing emails with CAD attachments, shared engineering project repositories, and compromised vendor or contractor deliverables. No network exposure is required, and no prior privileges on the host are needed beyond the ability to open the file.
No public proof-of-concept exploit is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS forecast indicates a low near-term exploitation probability, but the broad product footprint raises the value of this vulnerability for targeted attacks against engineering and manufacturing organizations.
Detection Methods for CVE-2025-10884
Indicators of Compromise
- Unexpected crashes of acad.exe, revit.exe, inventor.exe, 3dsmax.exe, or other Autodesk processes immediately after opening a CATPART file
- Autodesk application processes spawning unusual child processes such as cmd.exe, powershell.exe, or rundll32.exe
- CATPART files arriving from untrusted external sources, especially over email or removable media
- Windows Error Reporting (WER) entries referencing access violations in Autodesk Shared Components modules
Detection Strategies
- Hunt for child process creation where the parent is an Autodesk executable and the child is a script interpreter or LOLBin
- Inspect CATPART files for malformed headers and oversized length fields prior to opening in production environments
- Correlate Autodesk application crash events with subsequent suspicious file or network activity on the same host
Monitoring Recommendations
- Enable detailed process creation logging (Windows Event ID 4688 with command line auditing) on engineering workstations
- Monitor for unsigned modules loaded into Autodesk processes via Sysmon Event ID 7
- Forward endpoint telemetry to a centralized analytics platform to baseline normal Autodesk parser behavior and flag deviations
How to Mitigate CVE-2025-10884
Immediate Actions Required
- Apply the updates referenced in Autodesk security advisory ADSK-SA-2025-0024 to all affected 2026 products
- Inventory engineering workstations for installed Autodesk versions and prioritize patching for systems handling external CAD files
- Block inbound CATPART files at email and file-sharing gateways until patches are deployed
Patch Information
Autodesk has released fixed versions for the affected 2026 product line. Customers should consult Autodesk Security Advisory ADSK-SA-2025-0024 for the specific patched build numbers and use the Autodesk Access client to deploy updates across managed installations.
Workarounds
- Restrict opening of CATPART files to a vetted set of trusted senders and shared project repositories
- Run Autodesk applications under standard user accounts to limit the impact of code execution
- Use application allowlisting to prevent Autodesk processes from launching script interpreters or unauthorized binaries
# Example: enumerate installed Autodesk 2026 products on a Windows host
Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' |
Where-Object { $_.DisplayName -like 'Autodesk*2026*' } |
Select-Object DisplayName, DisplayVersion, InstallLocation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

