Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10886

CVE-2025-10886: Autodesk Shared Components RCE Flaw

CVE-2025-10886 is a remote code execution vulnerability in Autodesk Shared Components caused by memory corruption when parsing malicious MODEL files. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-10886 Overview

CVE-2025-10886 is a memory corruption vulnerability affecting multiple Autodesk products that parse MODEL files through the Autodesk Shared Components library. A maliciously crafted MODEL file triggers a buffer overflow condition [CWE-120] when opened in a vulnerable application. An attacker who convinces a user to open the file can execute arbitrary code in the context of the current process.

The flaw impacts the 2026 release branch of Autodesk's CAD, modeling, and engineering portfolio, including AutoCAD, Revit, Inventor, 3ds Max, and Civil 3D. Exploitation requires local file access and user interaction, but successful attacks compromise confidentiality, integrity, and availability of the host process.

Critical Impact

Successful exploitation allows arbitrary code execution in the context of the user running the affected Autodesk application, enabling potential lateral movement and persistence on engineering workstations.

Affected Products

  • Autodesk Shared Components, AutoCAD 2026, AutoCAD Architecture 2026, AutoCAD Electrical 2026, AutoCAD Map 3D 2026, AutoCAD Mechanical 2026, AutoCAD MEP 2026, AutoCAD Plant 3D 2026
  • Autodesk Revit 2026, Revit LT 2026, Inventor 2026, 3ds Max 2026, Civil 3D 2026
  • Autodesk Advance Steel 2026, InfraWorks 2026, Vault 2026

Discovery Timeline

  • 2025-12-16 - CVE-2025-10886 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-10886

Vulnerability Analysis

The vulnerability resides in the MODEL file parsing logic within Autodesk Shared Components, a library reused across Autodesk's 2026 product line. When the parser processes a malformed MODEL file, it writes past the bounds of an allocated buffer, corrupting adjacent memory structures. This buffer overflow condition is classified under [CWE-120] (Buffer Copy without Checking Size of Input).

Because Shared Components is statically embedded in many Autodesk applications, a single malicious file can target users across AutoCAD, Revit, Inventor, and other CAD products. The corrupted memory can be leveraged to redirect execution flow, allowing attackers to run arbitrary code with the privileges of the logged-in user.

Root Cause

The root cause is missing or insufficient bounds validation on field lengths or record sizes read from the MODEL file format. The parser trusts attacker-controlled values, resulting in an out-of-bounds write to heap or stack memory during deserialization.

Attack Vector

Exploitation is local and requires user interaction. An attacker delivers a crafted MODEL file through email, file share, cloud collaboration platform, or compromised project repository. When the engineer opens the file in any affected Autodesk product, the parser triggers the corruption and the embedded payload executes. Refer to the Autodesk Security Advisory ADSK-SA-2025-0024 for further technical details.

Detection Methods for CVE-2025-10886

Indicators of Compromise

  • Unexpected child processes spawned by acad.exe, revit.exe, inventor.exe, 3dsmax.exe, or other Autodesk binaries, particularly command shells, scripting hosts, or LOLBins.
  • MODEL files received from untrusted sources or arriving outside normal engineering workflows.
  • Autodesk application crashes followed by anomalous network connections or file writes to user-writable directories.

Detection Strategies

  • Monitor process trees for Autodesk parent processes launching cmd.exe, powershell.exe, wscript.exe, rundll32.exe, or regsvr32.exe.
  • Inspect endpoint telemetry for memory access violations and exception events originating from Autodesk Shared Components modules.
  • Correlate file-open events on .MODEL extensions with subsequent suspicious behaviors using behavioral analytics.

Monitoring Recommendations

  • Centralize Autodesk application crash logs and Windows Error Reporting telemetry for triage.
  • Track software inventory to identify hosts running Autodesk 2026 builds that have not received the Shared Components update.
  • Alert on MODEL files transiting email gateways or file-sharing services from external senders.

How to Mitigate CVE-2025-10886

Immediate Actions Required

  • Apply the updates referenced in Autodesk Security Advisory ADSK-SA-2025-0024 to all affected 2026 products and Shared Components installations.
  • Inventory engineering workstations for vulnerable Autodesk builds and prioritize patching for systems handling external project files.
  • Instruct users to avoid opening MODEL files received from untrusted or unverified sources until patches are deployed.

Patch Information

Autodesk has released fixed versions of Shared Components and the affected 2026 products. Refer to Autodesk Security Advisory ADSK-SA-2025-0024 for the specific build numbers and download locations corresponding to each product. Updates can be deployed through the Autodesk Access client.

Workarounds

  • Restrict opening of MODEL files to those originating from trusted internal repositories with integrity controls.
  • Run Autodesk applications under standard user accounts to limit the impact of arbitrary code execution.
  • Apply application allowlisting and block child-process creation from Autodesk binaries where feasible.
bash
# Example: Windows Defender Attack Surface Reduction rule to block child processes from Office-like apps
# Adapt the GUID list for Autodesk binaries via AppLocker or WDAC policies
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.