CVE-2024-11454
📋 TL;DR
This DLL hijacking vulnerability in Autodesk Revit allows attackers to execute arbitrary code by placing a malicious DLL in the same directory as an RVT file. When Revit loads the RVT file, it may load the malicious DLL instead of legitimate libraries due to an untrusted search path. This affects all Revit users who open RVT files from untrusted sources or directories.
💻 Affected Systems
- Autodesk Revit
📦 What is this software?
Revit by Autodesk
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the Revit user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation or malware execution when users open RVT files from untrusted locations like email attachments or downloaded files.
If Mitigated
Limited impact if users only open RVT files from trusted, controlled directories and have proper endpoint security.
🎯 Exploit Status
Exploitation requires user interaction (opening an RVT file) and placing malicious DLL in the same directory. No authentication bypass needed beyond tricking user to open file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.1.1 and later
Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0025
Restart Required: Yes
Instructions:
1. Open Autodesk Desktop App or Autodesk Account. 2. Check for updates. 3. Install Revit 2025.1.1 or later. 4. Restart Revit after installation.
🔧 Temporary Workarounds
Restrict DLL loading from current directory
windowsSet CWDIllegalInDllSearch registry key to prevent DLL loading from current directory
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v CWDIllegalInDllSearch /t REG_DWORD /d 0xFFFFFFFF /f
Use SafeDllSearchMode
windowsEnable Safe DLL search mode to prioritize system directories
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Only open RVT files from trusted, controlled directories
- Implement application whitelisting to prevent unauthorized DLL execution
🔍 How to Verify
Check if Vulnerable:
Check Revit version - if earlier than 2025.1.1, system is vulnerableCheck Version:
In Revit: Help > About Autodesk RevitVerify Fix Applied:
Verify Revit version is 2025.1.1 or later in Help > About Autodesk Revit📡 Detection & Monitoring
Log Indicators:
- Revit loading DLLs from non-system directories
- Process creation events from Revit with unusual parent/child relationships
Network Indicators:
- Unexpected outbound connections from Revit process
SIEM Query:
Process Creation where Image contains "revit.exe" and CommandLine contains ".dll" and not (CommandLine contains "C:\Windows" or CommandLine contains "C:\Program Files")