Skip to main content
CVE Vulnerability Database

CVE-2025-9455: Autodesk Shared Components RCE Vulnerability

CVE-2025-9455 is an RCE flaw in Autodesk Shared Components caused by malicious CATPRODUCT files triggering out-of-bounds reads. Attackers can crash systems, steal data, or execute code. Learn the details here.

Published:

CVE-2025-9455 Overview

CVE-2025-9455 is an out-of-bounds read vulnerability [CWE-125] affecting the CATPRODUCT file parser used across Autodesk Shared Components. The flaw is triggered when an affected Autodesk application parses a maliciously crafted CATPRODUCT file. An attacker who convinces a user to open such a file can crash the application, leak sensitive memory contents, or execute arbitrary code in the context of the current process. The vulnerability impacts the 2026 release line of multiple Autodesk products, including AutoCAD, Revit, Inventor, 3ds Max, Civil 3D, and Vault. Autodesk has published advisory ADSK-SA-2025-0024 to track the issue.

Critical Impact

A single crafted CATPRODUCT file opened by an engineer or designer can lead to arbitrary code execution within the affected Autodesk process, enabling foothold establishment on engineering workstations.

Affected Products

  • Autodesk Shared Components (CATPRODUCT parser)
  • Autodesk AutoCAD 2026 and AutoCAD verticals (Architecture, Electrical, Map 3D, Mechanical, MEP, Plant 3D)
  • Autodesk Revit 2026, Revit LT 2026, Inventor 2026, 3ds Max 2026, Civil 3D 2026, Advance Steel 2026, InfraWorks 2026, and Vault 2026

Discovery Timeline

  • 2025-12-16 - CVE-2025-9455 published to the National Vulnerability Database
  • 2025-12-19 - Last updated in NVD database

Technical Details for CVE-2025-9455

Vulnerability Analysis

The vulnerability is an out-of-bounds read [CWE-125] in the parsing logic that processes CATIA CATPRODUCT files within Autodesk Shared Components. CATPRODUCT is a compound document format used to describe product assemblies, and Autodesk products consume it through interoperability libraries shared across the 2026 product line.

When the parser reads structured records from a CATPRODUCT file, it does not adequately validate length or offset fields before dereferencing memory. A crafted file can cause the parser to read past the bounds of an allocated buffer. Depending on heap layout, the read can disclose adjacent memory or corrupt control flow when the returned data feeds subsequent computations, enabling arbitrary code execution within the host process.

Exploitation requires user interaction: the victim must open the malicious file. Because Autodesk applications run with the user's privileges, successful exploitation grants the attacker the same access on the workstation, including network shares and engineering data repositories.

Root Cause

The root cause is insufficient bounds checking in the CATPRODUCT parsing routines exposed through Autodesk Shared Components. Length and offset fields embedded in the file are trusted without validation against the allocated buffer size.

Attack Vector

The attack vector is local and file-based. An attacker delivers a weaponized .CATProduct file through phishing, supply chain compromise of CAD asset libraries, or shared engineering document repositories. The vulnerability is not remotely exploitable over a network, but design collaboration workflows make file delivery straightforward.

No verified proof-of-concept code is publicly available. See the Autodesk Security Advisory ADSK-SA-2025-0024 for vendor technical details.

Detection Methods for CVE-2025-9455

Indicators of Compromise

  • Unexpected crashes (WerFault.exe events) tied to AutoCAD, Revit, Inventor, 3ds Max, or other Autodesk 2026 processes following the opening of a CATPRODUCT file.
  • CATPRODUCT files arriving via email, instant messaging, or untrusted file shares from sources outside normal design collaboration channels.
  • Autodesk processes spawning unexpected child processes such as cmd.exe, powershell.exe, or rundll32.exe.

Detection Strategies

  • Monitor process telemetry for Autodesk binaries spawning shell or scripting interpreters, which is anomalous during normal CAD workflows.
  • Inspect file metadata at the email and web proxy gateways to flag .CATProduct attachments from external senders.
  • Correlate application crash dumps from Autodesk processes with recent file-open events to identify exploitation attempts.

Monitoring Recommendations

  • Enable Windows Defender Exploit Guard or equivalent exploit mitigation auditing for Autodesk binaries to log anomalous memory access.
  • Forward Autodesk application logs and Windows Application/Reliability events to a centralized SIEM for retrospective hunting.
  • Track installed Autodesk product versions across the fleet and alert on hosts still running pre-patch 2026 builds.

How to Mitigate CVE-2025-9455

Immediate Actions Required

  • Apply the updates referenced in Autodesk Security Advisory ADSK-SA-2025-0024 using Autodesk Access or the Autodesk Account portal.
  • Inventory all installations of Autodesk 2026 products and Shared Components, prioritizing engineering workstations handling third-party CAD exchanges.
  • Instruct users to refuse CATPRODUCT files from untrusted or unverified sources until patches are deployed.

Patch Information

Autodesk has released fixed builds for the affected 2026 products. Refer to Autodesk Security Advisory ADSK-SA-2025-0024 for the specific patched version numbers per product. Updates can be installed through Autodesk Access.

Workarounds

  • Block inbound .CATProduct files at email gateways and web proxies where CATIA interoperability is not a business requirement.
  • Restrict opening of CATPRODUCT files to a hardened, network-isolated review workstation until patches are applied.
  • Apply least-privilege controls so that Autodesk applications cannot write to sensitive directories or execute arbitrary child processes.
bash
# Example: PowerShell inventory of installed Autodesk 2026 products
Get-WmiObject -Class Win32_Product |
  Where-Object { $_.Vendor -like 'Autodesk*' -and $_.Name -match '2026' } |
  Select-Object Name, Version, InstallDate

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.