Skip to main content
CVE Vulnerability Database

CVE-2025-9460: Autodesk Shared Components RCE Vulnerability

CVE-2025-9460 is a remote code execution flaw in Autodesk Shared Components caused by malformed SLDPRT files that trigger out-of-bounds reads. This post covers the technical details, affected versions, and mitigations.

Published:

CVE-2025-9460 Overview

CVE-2025-9460 is an Out-of-Bounds Read vulnerability [CWE-125] affecting Autodesk Shared Components and a broad set of Autodesk 2026 design products. The flaw triggers when a maliciously crafted SLDPRT (SolidWorks part) file is parsed by an affected Autodesk application. An attacker who convinces a user to open a weaponized file can crash the application, read sensitive process memory, or execute arbitrary code in the context of the current process. Because the vulnerability impacts shared parsing components, it propagates across AutoCAD, Inventor, Revit, 3ds Max, Civil 3D, and other products that share the same code path.

Critical Impact

Successful exploitation enables arbitrary code execution in the context of the logged-in user, with potential for information disclosure or process crash on engineering workstations.

Affected Products

  • Autodesk Shared Components
  • Autodesk AutoCAD 2026 and product family (Architecture, Electrical, Map 3D, Mechanical, MEP, Plant 3D)
  • Autodesk Inventor 2026, Revit 2026, Revit LT 2026, 3ds Max 2026, Advance Steel 2026, Civil 3D 2026, InfraWorks 2026, and Vault 2026

Discovery Timeline

  • 2025-12-16 - CVE-2025-9460 published to NVD
  • 2025-12-19 - Last updated in NVD database

Technical Details for CVE-2025-9460

Vulnerability Analysis

The vulnerability resides in the SLDPRT file parsing logic implemented in Autodesk Shared Components. SLDPRT is the native SolidWorks part-file format, which Autodesk products parse during file import and translation workflows. When the parser processes a malformed structure inside an SLDPRT file, it reads beyond the bounds of an allocated buffer. This Out-of-Bounds Read [CWE-125] returns adjacent heap or stack memory contents to the parser logic.

Attackers can weaponize the out-of-bounds condition in three ways. They can crash the host process for denial of service. They can exfiltrate sensitive memory contents, including pointers useful for bypassing Address Space Layout Randomization (ASLR). They can also combine the leak with control over downstream parsing state to achieve arbitrary code execution in the user context.

Root Cause

The root cause is missing or incorrect bounds validation on a length, offset, or index field inside the SLDPRT binary structure. The parser trusts attacker-controlled size fields and reads memory based on those values without verifying that the read remains within the allocated buffer. Because the affected code lives in Autodesk Shared Components, every downstream product that links the component inherits the same flaw.

Attack Vector

Exploitation requires local user interaction. An attacker must deliver a malicious SLDPRT file through email, shared project repositories, supplier file exchanges, or compromised CAD asset libraries. When a victim opens or imports the file in an affected Autodesk product, the parser triggers the out-of-bounds read. No network access or elevated privileges are required, and the attacker inherits the privileges of the user running the Autodesk application.

No public proof-of-concept code or in-the-wild exploitation has been reported for CVE-2025-9460. Refer to the Autodesk Security Advisory ADSK-SA-2025-0024 for technical specifics.

Detection Methods for CVE-2025-9460

Indicators of Compromise

  • Unexpected crashes, Windows Error Reporting (WER) entries, or faulting module events naming Autodesk Shared Components after a user opens an SLDPRT file
  • SLDPRT files arriving from external sources, especially via email attachments or unmanaged file shares, that are inconsistent with normal engineering workflows
  • Child processes spawned by acad.exe, inventor.exe, revit.exe, 3dsmax.exe, or related Autodesk binaries shortly after a file-open event

Detection Strategies

  • Monitor process telemetry for Autodesk applications loading SLDPRT files followed by anomalous process creation, shellcode-like memory regions, or unsigned module loads
  • Flag access violations and exception events tied to Autodesk Shared Components DLLs within Endpoint Detection and Response (EDR) telemetry
  • Inspect inbound CAD files using static analysis or sandbox detonation before they reach engineering workstations

Monitoring Recommendations

  • Centralize Autodesk application crash dumps and parser exception logs for correlation with file-open events
  • Track which user accounts and hosts open externally sourced SLDPRT files and alert on unusual volume or origin
  • Subscribe to Autodesk Trust Center advisories to receive updates on related shared-component vulnerabilities

How to Mitigate CVE-2025-9460

Immediate Actions Required

  • Apply the updates referenced in Autodesk Security Advisory ADSK-SA-2025-0024 to all affected Autodesk 2026 products and Shared Components installations
  • Restrict opening SLDPRT files from untrusted or unverified sources until patches are deployed across the engineering fleet
  • Inventory endpoints running Autodesk 2026 products via the Autodesk Access client to confirm patch coverage

Patch Information

Autodesk has published fixed versions through Autodesk Access and the Autodesk Account portal. Administrators should review Autodesk Security Advisory ADSK-SA-2025-0024 for product-specific build numbers and deployment guidance. Because the vulnerability is in Shared Components, updating one product alone does not protect other Autodesk products on the same host.

Workarounds

  • Block SLDPRT attachments at the email gateway and quarantine files originating outside trusted supplier channels
  • Use a dedicated, network-isolated workstation for opening third-party CAD files until patching is complete
  • Apply application allowlisting to prevent Autodesk processes from spawning interpreters or command shells
bash
# Example: enumerate installed Autodesk 2026 products on Windows for patch verification
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' |
  Where-Object { $_.DisplayName -like 'Autodesk*2026*' } |
  Select-Object DisplayName, DisplayVersion, Publisher |
  Sort-Object DisplayName

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.