Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-10889

CVE-2025-10889: Autodesk Shared Components RCE Flaw

CVE-2025-10889 is a remote code execution vulnerability in Autodesk Shared Components caused by malicious CATPART files. Attackers can exploit this memory corruption flaw to run arbitrary code. This article covers the issue.

Published:

CVE-2025-10889 Overview

CVE-2025-10889 is a memory corruption vulnerability affecting Autodesk Shared Components and a broad range of Autodesk applications. The flaw triggers when a maliciously crafted CATPART file is parsed through an affected product. Attackers can leverage the condition to execute arbitrary code in the context of the current process.

The weakness is classified under [CWE-120] (Buffer Copy without Checking Size of Input). Exploitation requires the victim to open the malicious file, making targeted phishing and supply-chain delivery of CAD assets the realistic attack paths.

Critical Impact

A user opening a crafted CATPART file in AutoCAD, Revit, Inventor, 3ds Max, or related Autodesk products can grant an attacker arbitrary code execution under the user's process context.

Affected Products

  • Autodesk Shared Components
  • Autodesk AutoCAD 2026 and AutoCAD verticals (Architecture, Electrical, Map 3D, Mechanical, MEP, Plant 3D)
  • Autodesk 3ds Max 2026, Advance Steel 2026, Civil 3D 2026, InfraWorks 2026, Inventor 2026, Revit 2026, Revit LT 2026, and Vault 2026

Discovery Timeline

  • 2025-12-16 - CVE-2025-10889 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-10889

Vulnerability Analysis

The vulnerability resides in the file parser that processes CATIA Part (CATPART) files inside Autodesk Shared Components. CATPART is a proprietary 3D part format originating from Dassault Systèmes CATIA, and Autodesk products import it through a shared translator library.

When the parser reads structured records from a crafted file, it copies attacker-controlled data into a fixed-size buffer without validating the length against the destination capacity. The resulting memory corruption can overwrite adjacent objects, function pointers, or return addresses. An attacker who controls the overflow payload can redirect execution to arbitrary code running with the privileges of the Autodesk application.

Because the vulnerable component is shared across the Autodesk product family, a single malformed file exposes every product listed in the advisory.

Root Cause

The root cause is improper bounds checking during deserialization of CATPART structures, consistent with [CWE-120]. The parser trusts size fields embedded in the file rather than enforcing the destination buffer's actual capacity.

Attack Vector

The attack requires local file access and user interaction. An attacker delivers a weaponized CATPART file by email, shared engineering drives, contractor handoffs, or compromised CAD asset libraries. When the victim opens or imports the file, the parser triggers the memory corruption and executes the embedded payload under the user's account.

No network access or authentication on the target system is required. CAD operators frequently hold elevated permissions on engineering workstations, increasing the post-exploitation impact.

The vulnerability is triggered by a malformed CATPART file processed by the Autodesk
Shared Components parser. No public proof-of-concept code is available at this time.
See the Autodesk advisory (ADSK-SA-2025-0024) for technical details.

Detection Methods for CVE-2025-10889

Indicators of Compromise

  • Unexpected crashes, exception logs, or Windows Error Reporting events from Autodesk processes such as acad.exe, revit.exe, inventor.exe, or 3dsmax.exe shortly after opening a CATPART file.
  • Child processes spawned by Autodesk applications (for example, cmd.exe, powershell.exe, rundll32.exe) that are inconsistent with normal CAD workflows.
  • Outbound network connections originating from Autodesk processes following a CATPART import.
  • New executables, scripts, or scheduled tasks written to disk in the time window immediately after a CATPART file is opened.

Detection Strategies

  • Build endpoint detection rules that flag Autodesk applications spawning shell, scripting, or LOLBin processes.
  • Hunt for CATPART files arriving via email attachments, browser downloads, or removable media on engineering workstations.
  • Correlate Autodesk application crashes with subsequent process or file creation activity to surface successful exploitation attempts.

Monitoring Recommendations

  • Enable process creation and image-load logging on workstations running Autodesk 2026 products and forward events to a centralized analytics platform.
  • Monitor file-write telemetry in user profile directories and Autodesk temp paths for newly dropped binaries after CATPART parsing.
  • Track outbound network connections from Autodesk processes and alert on any connection to unrecognized destinations.

How to Mitigate CVE-2025-10889

Immediate Actions Required

  • Apply the fixed versions listed in Autodesk Security Advisory ADSK-SA-2025-0024 using Autodesk Access.
  • Inventory all workstations running Autodesk 2026 products and prioritize systems used by engineers who routinely receive third-party CAD files.
  • Instruct users to refuse CATPART files from untrusted senders until patches are deployed.
  • Restrict Autodesk application accounts to least privilege so a successful exploit does not yield administrative access.

Patch Information

Autodesk has published fixed builds for the affected 2026 product lines and Shared Components. Refer to Autodesk Security Advisory ADSK-SA-2025-0024 for the specific build numbers and download links for each product. Updates are distributed through Autodesk Access.

Workarounds

  • Block inbound CATPART attachments at the email gateway and quarantine the files for review.
  • Use application control policies to prevent Autodesk processes from launching shells, scripting hosts, or other unexpected child processes.
  • Open untrusted CAD files only inside a network-isolated virtual machine until the patch is applied.
bash
# Example: block CATPART attachments at a mail transport rule (Exchange PowerShell)
New-TransportRule -Name "Block-CATPART-Attachments" \
  -AttachmentExtensionMatchesWords "catpart" \
  -RejectMessageReasonText "CATPART attachments are blocked pending CVE-2025-10889 remediation."

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.