CVE-2025-9460 Overview
CVE-2025-9460 is an Out-of-Bounds Read vulnerability [CWE-125] affecting Autodesk Shared Components and a broad set of Autodesk 2026 design products. The flaw triggers when a maliciously crafted SLDPRT (SolidWorks part) file is parsed by an affected Autodesk application. An attacker who convinces a user to open a weaponized file can crash the application, read sensitive process memory, or execute arbitrary code in the context of the current process. Because the vulnerability impacts shared parsing components, it propagates across AutoCAD, Inventor, Revit, 3ds Max, Civil 3D, and other products that share the same code path.
Critical Impact
Successful exploitation enables arbitrary code execution in the context of the logged-in user, with potential for information disclosure or process crash on engineering workstations.
Affected Products
- Autodesk Shared Components
- Autodesk AutoCAD 2026 and product family (Architecture, Electrical, Map 3D, Mechanical, MEP, Plant 3D)
- Autodesk Inventor 2026, Revit 2026, Revit LT 2026, 3ds Max 2026, Advance Steel 2026, Civil 3D 2026, InfraWorks 2026, and Vault 2026
Discovery Timeline
- 2025-12-16 - CVE-2025-9460 published to NVD
- 2025-12-19 - Last updated in NVD database
Technical Details for CVE-2025-9460
Vulnerability Analysis
The vulnerability resides in the SLDPRT file parsing logic implemented in Autodesk Shared Components. SLDPRT is the native SolidWorks part-file format, which Autodesk products parse during file import and translation workflows. When the parser processes a malformed structure inside an SLDPRT file, it reads beyond the bounds of an allocated buffer. This Out-of-Bounds Read [CWE-125] returns adjacent heap or stack memory contents to the parser logic.
Attackers can weaponize the out-of-bounds condition in three ways. They can crash the host process for denial of service. They can exfiltrate sensitive memory contents, including pointers useful for bypassing Address Space Layout Randomization (ASLR). They can also combine the leak with control over downstream parsing state to achieve arbitrary code execution in the user context.
Root Cause
The root cause is missing or incorrect bounds validation on a length, offset, or index field inside the SLDPRT binary structure. The parser trusts attacker-controlled size fields and reads memory based on those values without verifying that the read remains within the allocated buffer. Because the affected code lives in Autodesk Shared Components, every downstream product that links the component inherits the same flaw.
Attack Vector
Exploitation requires local user interaction. An attacker must deliver a malicious SLDPRT file through email, shared project repositories, supplier file exchanges, or compromised CAD asset libraries. When a victim opens or imports the file in an affected Autodesk product, the parser triggers the out-of-bounds read. No network access or elevated privileges are required, and the attacker inherits the privileges of the user running the Autodesk application.
No public proof-of-concept code or in-the-wild exploitation has been reported for CVE-2025-9460. Refer to the Autodesk Security Advisory ADSK-SA-2025-0024 for technical specifics.
Detection Methods for CVE-2025-9460
Indicators of Compromise
- Unexpected crashes, Windows Error Reporting (WER) entries, or faulting module events naming Autodesk Shared Components after a user opens an SLDPRT file
- SLDPRT files arriving from external sources, especially via email attachments or unmanaged file shares, that are inconsistent with normal engineering workflows
- Child processes spawned by acad.exe, inventor.exe, revit.exe, 3dsmax.exe, or related Autodesk binaries shortly after a file-open event
Detection Strategies
- Monitor process telemetry for Autodesk applications loading SLDPRT files followed by anomalous process creation, shellcode-like memory regions, or unsigned module loads
- Flag access violations and exception events tied to Autodesk Shared Components DLLs within Endpoint Detection and Response (EDR) telemetry
- Inspect inbound CAD files using static analysis or sandbox detonation before they reach engineering workstations
Monitoring Recommendations
- Centralize Autodesk application crash dumps and parser exception logs for correlation with file-open events
- Track which user accounts and hosts open externally sourced SLDPRT files and alert on unusual volume or origin
- Subscribe to Autodesk Trust Center advisories to receive updates on related shared-component vulnerabilities
How to Mitigate CVE-2025-9460
Immediate Actions Required
- Apply the updates referenced in Autodesk Security Advisory ADSK-SA-2025-0024 to all affected Autodesk 2026 products and Shared Components installations
- Restrict opening SLDPRT files from untrusted or unverified sources until patches are deployed across the engineering fleet
- Inventory endpoints running Autodesk 2026 products via the Autodesk Access client to confirm patch coverage
Patch Information
Autodesk has published fixed versions through Autodesk Access and the Autodesk Account portal. Administrators should review Autodesk Security Advisory ADSK-SA-2025-0024 for product-specific build numbers and deployment guidance. Because the vulnerability is in Shared Components, updating one product alone does not protect other Autodesk products on the same host.
Workarounds
- Block SLDPRT attachments at the email gateway and quarantine files originating outside trusted supplier channels
- Use a dedicated, network-isolated workstation for opening third-party CAD files until patching is complete
- Apply application allowlisting to prevent Autodesk processes from spawning interpreters or command shells
# Example: enumerate installed Autodesk 2026 products on Windows for patch verification
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' |
Where-Object { $_.DisplayName -like 'Autodesk*2026*' } |
Select-Object DisplayName, DisplayVersion, Publisher |
Sort-Object DisplayName
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

