Skip to main content
CVE Vulnerability Database

CVE-2025-9452: Autodesk Shared Components RCE Flaw

CVE-2025-9452 is a remote code execution vulnerability in Autodesk Shared Components caused by malicious SLDPRT files. Attackers can exploit memory corruption to run arbitrary code. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-9452 Overview

CVE-2025-9452 is a memory corruption vulnerability affecting the SLDPRT file parser used by Autodesk Shared Components and multiple Autodesk product lines. A maliciously crafted SolidWorks Part (.SLDPRT) file triggers an out-of-bounds write [CWE-787] when processed by the affected parser. An attacker who convinces a user to open a weaponized file can execute arbitrary code in the context of the current process. The flaw spans the 2026 release line of products including AutoCAD, Revit, Inventor, 3ds Max, Civil 3D, and Vault, making it a wide-impact issue for engineering and design environments.

Critical Impact

Successful exploitation yields arbitrary code execution under the privileges of the user running the Autodesk application, with full impact to confidentiality, integrity, and availability.

Affected Products

  • Autodesk Shared Components, AutoCAD 2026, AutoCAD Architecture 2026, AutoCAD Electrical 2026, AutoCAD Map 3D 2026, AutoCAD Mechanical 2026, AutoCAD MEP 2026, AutoCAD Plant 3D 2026
  • Autodesk 3ds Max 2026, Advance Steel 2026, Civil 3D 2026, Inventor 2026, Revit 2026, Revit LT 2026
  • Autodesk InfraWorks 2026 and Autodesk Vault 2026

Discovery Timeline

  • 2025-12-16 - CVE-2025-9452 published to the National Vulnerability Database
  • 2026-01-22 - Last updated in NVD database

Technical Details for CVE-2025-9452

Vulnerability Analysis

The vulnerability resides in the SLDPRT file parsing routines inside Autodesk Shared Components, a library used across the Autodesk 2026 product line. The parser performs an out-of-bounds write while interpreting attacker-controlled fields within the binary file structure. Because the write occurs in process memory shared with the host application, an attacker can corrupt adjacent objects, function pointers, or virtual table entries. This corruption converts a file-format parsing flaw into arbitrary code execution within the Autodesk process. The bug is classified under [CWE-787] Out-of-bounds Write.

Root Cause

The parser fails to validate the size or offset of attacker-controlled structures before writing into a fixed-size buffer or heap allocation. When malformed SLDPRT records are processed, the routine writes past the bounds of the destination buffer. The condition is deterministic and triggered purely by file content, requiring no network access or elevated privileges.

Attack Vector

Exploitation is local and requires user interaction. An attacker delivers a crafted .SLDPRT file via email, shared drive, project repository, supply-chain CAD asset, or third-party library. When the victim opens or imports the file in an affected Autodesk application, the parser executes the malicious payload. The attacker gains code execution at the user's privilege level, which in design and engineering workstations frequently includes access to intellectual property, model repositories, and PLM systems.

No public proof-of-concept or exploit code is currently available. See the Autodesk Security Advisory ADSK-SA-2025-0024 for vendor-supplied technical details.

Detection Methods for CVE-2025-9452

Indicators of Compromise

  • Unexpected child processes spawned by acad.exe, revit.exe, inventor.exe, 3dsmax.exe, or other Autodesk binaries, particularly command shells, PowerShell, or script interpreters.
  • Crashes or Windows Error Reporting (WerFault.exe) events tied to Autodesk processes immediately after opening .SLDPRT files from untrusted sources.
  • .SLDPRT files arriving from external email, untrusted file shares, or recently created directories outside normal project repositories.

Detection Strategies

  • Hunt for parent-child process anomalies where Autodesk processes spawn living-off-the-land binaries such as cmd.exe, rundll32.exe, regsvr32.exe, or mshta.exe.
  • Correlate file-open telemetry for .SLDPRT extensions with subsequent process creation, network connections, or persistence registry modifications.
  • Monitor Autodesk application crashes followed by suspicious memory allocations or DLL loads that do not match the application baseline.

Monitoring Recommendations

  • Inventory all hosts running Autodesk 2026 product versions and confirm patch deployment status against ADSK-SA-2025-0024.
  • Forward EDR process, file, and module load telemetry from CAD and engineering workstations into a centralized analytics platform for retrospective hunting.
  • Alert on inbound .SLDPRT files from external sources, especially those traversing email gateways or web download channels.

How to Mitigate CVE-2025-9452

Immediate Actions Required

  • Apply the updates listed in Autodesk Security Advisory ADSK-SA-2025-0024 to all affected 2026 product installations.
  • Use Autodesk Access to enumerate installed Autodesk products and deploy fixed builds across managed workstations.
  • Block or quarantine .SLDPRT attachments at the email gateway until patches are validated in production.

Patch Information

Autodesk has published fixed releases for the affected 2026 product versions. Administrators should consult ADSK-SA-2025-0024 for the exact build numbers per product (Shared Components, AutoCAD, Revit, Inventor, 3ds Max, Civil 3D, Vault, InfraWorks, Advance Steel, Revit LT, and the AutoCAD verticals) and roll out updates through Autodesk Access or enterprise deployment tooling.

Workarounds

  • Do not open .SLDPRT files from untrusted, unverified, or external sources until patches are applied.
  • Restrict Autodesk applications to standard user accounts to limit the blast radius of code execution within the user context.
  • Enforce attack surface reduction policies that prevent CAD applications from spawning scripting interpreters or command shells.
bash
# Example: Inventory Autodesk 2026 installs on Windows endpoints
Get-CimInstance -ClassName Win32_Product | \
  Where-Object { $_.Vendor -like "Autodesk*" -and $_.Version -like "*2026*" } | \
  Select-Object Name, Version, InstallDate

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.