CVE-2024-23140

Q: What is the severity of CVE-2024-23140?

CVE-2024-23140 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to exploit out-of-bounds read conditions in Autodesk applications when processing malicious 3DM and MODEL files. Attackers could crash applications, read sensitive memory data, or potentially execute arbitrary code. Users of affected Autodesk software are at risk.

7.8 HIGH

📋 TL;DR

This vulnerability allows attackers to exploit out-of-bounds read conditions in Autodesk applications when processing malicious 3DM and MODEL files. Attackers could crash applications, read sensitive memory data, or potentially execute arbitrary code. Users of affected Autodesk software are at risk.

💻 Affected Systems

Products:

Autodesk applications using opennurbs.dll and atf_api.dll

Versions: Multiple versions prior to patches released in 2024

Operating Systems: Windows, macOS, Linux (where applicable)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all default installations of vulnerable Autodesk software. Specific product list available in vendor advisory.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes causing denial of service and potential data corruption or limited information disclosure.

🟢

If Mitigated

Application crash with no data loss if proper file validation and sandboxing are implemented.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files, but could be delivered via email or downloads.

🏢 Internal Only: MEDIUM - Similar risk internally if users open untrusted files from network shares or email.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user to open malicious file. No public exploit code known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions specified in Autodesk Security Advisory ADSK-SA-2024-0009

Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009

Restart Required: Yes

Instructions:

1. Identify affected Autodesk products. 2. Check Autodesk Account or product update mechanism. 3. Apply latest security updates. 4. Restart affected applications.

🔧 Temporary Workarounds

Restrict file types

all

Block or restrict 3DM and MODEL files from untrusted sources

Application sandboxing

all

Run Autodesk applications in restricted environments

🧯 If You Can't Patch

Implement strict file validation policies for 3DM/MODEL files
Use application whitelisting to prevent unauthorized Autodesk software execution

🔍 How to Verify

Check if Vulnerable:

Check Autodesk product version against advisory. Review if opennurbs.dll or atf_api.dll are present.

Check Version:

Check via Autodesk product 'About' dialog or Windows 'Programs and Features'

Verify Fix Applied:

Verify product version matches patched versions in advisory. Check file hashes of updated DLLs.

📡 Detection & Monitoring

Log Indicators:

Application crashes from Autodesk software
Memory access violation errors
Unexpected file parsing errors

Network Indicators:

Downloads of 3DM/MODEL files from untrusted sources
Unusual outbound connections after file opens

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName contains 'Autodesk' AND ExceptionCode=c0000005

📊 Metadata

CVE ID: CVE-2024-23140

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: June 25, 2024

Last Updated: December 31, 2025

🔗 References

https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009 Vendor Advisory
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Advance Steel by Autodesk

Advance Steel by Autodesk

Advance Steel by Autodesk

Advance Steel by Autodesk

Autocad by Autodesk

Autocad by Autodesk

Autocad by Autodesk

Autocad by Autodesk

Autocad Architecture by Autodesk

Autocad Architecture by Autodesk

Autocad Architecture by Autodesk

Autocad Architecture by Autodesk

Autocad Electrical by Autodesk

Autocad Electrical by Autodesk

Autocad Electrical by Autodesk

Autocad Electrical by Autodesk

Autocad Map 3d by Autodesk

Autocad Map 3d by Autodesk

Autocad Map 3d by Autodesk

Autocad Map 3d by Autodesk

Autocad Mechanical by Autodesk

Autocad Mechanical by Autodesk

Autocad Mechanical by Autodesk

Autocad Mechanical by Autodesk

Autocad Mep by Autodesk

Autocad Mep by Autodesk

Autocad Mep by Autodesk

Autocad Mep by Autodesk

Autocad Plant 3d by Autodesk

Autocad Plant 3d by Autodesk

Autocad Plant 3d by Autodesk

Autocad Plant 3d by Autodesk

Civil 3d by Autodesk

Civil 3d by Autodesk

Civil 3d by Autodesk

Civil 3d by Autodesk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict file types

Application sandboxing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities