Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10888

CVE-2025-10888: Autodesk Shared Components Buffer Overflow

CVE-2025-10888 is a buffer overflow vulnerability in Autodesk Shared Components that allows attackers to execute arbitrary code via malicious MODEL files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-10888 Overview

CVE-2025-10888 is an out-of-bounds write vulnerability [CWE-787] affecting Autodesk Shared Components and a wide range of Autodesk 2026 products. A maliciously crafted MODEL file, when parsed by an affected product, triggers memory corruption during file processing. An attacker can leverage this flaw to crash the application, corrupt data, or execute arbitrary code in the context of the current user. Exploitation requires the victim to open the malicious file, making targeted phishing and supply-chain delivery of CAD assets the most realistic attack scenarios.

Critical Impact

Successful exploitation allows arbitrary code execution in the context of the user running the affected Autodesk product, leading to full compromise of the workstation.

Affected Products

  • Autodesk Shared Components
  • Autodesk AutoCAD 2026 and verticals (Architecture, Electrical, Map 3D, Mechanical, MEP, Plant 3D)
  • Autodesk 3ds Max 2026, Advance Steel 2026, Civil 3D 2026, InfraWorks 2026, Inventor 2026, Revit 2026, Revit LT 2026, and Vault 2026

Discovery Timeline

  • 2025-12-16 - CVE-2025-10888 published to NVD
  • 2025-12-19 - Last updated in NVD database

Technical Details for CVE-2025-10888

Vulnerability Analysis

The flaw is an out-of-bounds write [CWE-787] in the MODEL file parser used by Autodesk Shared Components. Shared Components is a common library reused across the Autodesk product family, which is why the same defect propagates into AutoCAD, Revit, Inventor, 3ds Max, Civil 3D, Vault, and other 2026-generation products.

When the parser reads structured records from a MODEL file, attacker-controlled length or offset fields cause the code to write past the bounds of an allocated buffer. The resulting memory corruption can overwrite adjacent objects, function pointers, or virtual table references. An attacker who shapes the heap precisely can convert the write primitive into arbitrary code execution within the current process.

The attack vector is local: the malicious MODEL file must be opened by a user. There is no authentication requirement, but user interaction is mandatory. The vulnerability impacts confidentiality, integrity, and availability equally because code runs with the privileges of the Autodesk user.

Root Cause

The root cause is missing or insufficient bounds validation when the MODEL file parser deserializes geometry, metadata, or chunk records. Crafted size, count, or offset fields drive write operations beyond the destination buffer.

Attack Vector

An attacker delivers a weaponized MODEL file through email, a shared design repository, a third-party drawing exchange, or a compromised supplier. When an engineer, architect, or designer opens the file in any affected Autodesk product, the parser corrupts memory and the attacker's payload executes locally. See the Autodesk Security Advisory ADSK-SA-2025-0024 for vendor technical detail.

Detection Methods for CVE-2025-10888

Indicators of Compromise

  • Unexpected crashes or Windows Error Reporting events from acad.exe, revit.exe, inventor.exe, 3dsmax.exe, or other Autodesk product binaries shortly after a MODEL file is opened.
  • Autodesk processes spawning interpreters, shells, or LOLBins such as cmd.exe, powershell.exe, rundll32.exe, or mshta.exe.
  • MODEL files arriving from untrusted senders or unexpected locations, especially mismatched file size or magic bytes versus the declared format.
  • New persistence artifacts (Run keys, scheduled tasks, services) created in the same user session as an Autodesk product launch.

Detection Strategies

  • Hunt for child processes of Autodesk binaries that are not part of the normal application launcher or update flow.
  • Correlate Autodesk process crash telemetry with subsequent file writes, network connections, or registry modifications under the same user context.
  • Inspect MODEL files at the email gateway and file share boundary using sandbox detonation against an affected Autodesk version.

Monitoring Recommendations

  • Track installed Autodesk product versions across endpoints and flag hosts still running the vulnerable 2026 builds listed in ADSK-SA-2025-0024.
  • Alert on process crash events from Autodesk binaries followed by parent-child anomalies within a short time window.
  • Monitor user-writable directories used by Autodesk products for unexpected executables, DLLs, or scripts dropped after MODEL files are opened.

How to Mitigate CVE-2025-10888

Immediate Actions Required

  • Apply the fixed versions referenced in Autodesk Security Advisory ADSK-SA-2025-0024 to Shared Components and every affected product.
  • Use Autodesk Access to identify and deploy the patched product builds on all design and engineering workstations.
  • Instruct users to refuse MODEL files from untrusted senders and to validate provenance before opening files received externally.
  • Restrict end-user privileges so a compromised Autodesk process cannot escalate or persist with administrative rights.

Patch Information

Autodesk addresses CVE-2025-10888 through updates to Autodesk Shared Components, which are distributed with the patched 2026-version releases of AutoCAD, Revit, Inventor, 3ds Max, Civil 3D, Advance Steel, InfraWorks, Vault, and the AutoCAD vertical products. Refer to ADSK-SA-2025-0024 for the exact fixed builds per product line.

Workarounds

  • Block inbound MODEL file attachments at email and collaboration gateways until patching is complete.
  • Quarantine MODEL files originating from external partners and detonate them in an isolated environment before distribution.
  • Run Autodesk products under standard user accounts and enable application allowlisting to constrain post-exploitation activity.
bash
# Example: enumerate Autodesk product versions on a Windows host
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
  Where-Object { $_.DisplayName -like "*Autodesk*" } |
  Select-Object DisplayName, DisplayVersion, Publisher |
  Sort-Object DisplayName

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.