CVE-2024-23158

Q: What is the severity of CVE-2024-23158?

CVE-2024-23158 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to execute arbitrary code or cause crashes by tricking users into opening malicious IGES files in affected Autodesk applications. It affects users of Autodesk products that use the vulnerable ASMImport229A.dll component. Successful exploitation requires user interaction to open a crafted file.

7.8 HIGH

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code or cause crashes by tricking users into opening malicious IGES files in affected Autodesk applications. It affects users of Autodesk products that use the vulnerable ASMImport229A.dll component. Successful exploitation requires user interaction to open a crafted file.

💻 Affected Systems

Products:

Autodesk applications using ASMImport229A.dll for IGES file import

Versions: Specific versions not detailed in advisory; check Autodesk security advisory for exact affected versions

Operating Systems: Windows, macOS, Linux where Autodesk applications are supported

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the IGES file parser within ASMImport229A.dll. All configurations using this component are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the current user, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes and denial of service when users open malicious IGES files from untrusted sources.

🟢

If Mitigated

Limited impact with proper user training, file restrictions, and security controls preventing execution of malicious code.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files, but these could be delivered via email, downloads, or compromised websites.

🏢 Internal Only: MEDIUM - Internal users could be tricked into opening malicious files, but network segmentation and endpoint controls can limit impact.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open malicious IGES files. The use-after-free vulnerability requires specific memory manipulation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Autodesk security advisory ADSK-SA-2024-0010 for specific patched versions

Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010

Restart Required: Yes

Instructions:

1. Visit the Autodesk security advisory page
2. Identify affected products and versions
3. Download and install the latest updates from Autodesk
4. Restart affected applications and systems

🔧 Temporary Workarounds

Restrict IGES file handling

all

Block or restrict IGES files from untrusted sources using application controls or group policies

Disable IGES import functionality

windows

Remove or disable the ASMImport229A.dll component if IGES import is not required

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of malicious code
Educate users to never open IGES files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check if ASMImport229A.dll exists in Autodesk application directories and verify version against patched releases

Check Version:

Check Autodesk application 'About' dialog or use vendor-specific version checking tools

Verify Fix Applied:

Verify application version matches or exceeds patched version listed in Autodesk advisory

📡 Detection & Monitoring

Log Indicators:

Application crashes related to ASMImport229A.dll
Unexpected process terminations when opening IGES files

Network Indicators:

Downloads of IGES files from suspicious sources
Unusual outbound connections after IGES file processing

SIEM Query:

Process creation events for Autodesk applications followed by crash events or suspicious network activity

📊 Metadata

CVE ID: CVE-2024-23158

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: June 25, 2024

Last Updated: November 13, 2025

🔗 References

https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010 Vendor Advisory
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0010 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Advance Steel by Autodesk

Advance Steel by Autodesk

Advance Steel by Autodesk

Advance Steel by Autodesk

Autocad by Autodesk

Autocad by Autodesk

Autocad by Autodesk

Autocad by Autodesk

Autocad Architecture by Autodesk

Autocad Architecture by Autodesk

Autocad Architecture by Autodesk

Autocad Architecture by Autodesk

Autocad Electrical by Autodesk

Autocad Electrical by Autodesk

Autocad Electrical by Autodesk

Autocad Electrical by Autodesk

Autocad Map 3d by Autodesk

Autocad Map 3d by Autodesk

Autocad Map 3d by Autodesk

Autocad Map 3d by Autodesk

Autocad Mechanical by Autodesk

Autocad Mechanical by Autodesk

Autocad Mechanical by Autodesk

Autocad Mechanical by Autodesk

Autocad Mep by Autodesk

Autocad Mep by Autodesk

Autocad Mep by Autodesk

Autocad Mep by Autodesk

Autocad Plant 3d by Autodesk

Autocad Plant 3d by Autodesk

Autocad Plant 3d by Autodesk

Autocad Plant 3d by Autodesk

Civil 3d by Autodesk

Civil 3d by Autodesk

Civil 3d by Autodesk

Civil 3d by Autodesk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict IGES file handling

Disable IGES import functionality

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities