CVE-2024-37006

Q: What is the severity of CVE-2024-37006?

CVE-2024-37006 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to execute arbitrary code by tricking users into opening malicious CATPRODUCT files in affected Autodesk applications. The memory corruption occurs through a write access violation in CC5Dll.dll, potentially leading to full system compromise. Users of vulnerable Autodesk software are affected.

7.8 HIGH

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code by tricking users into opening malicious CATPRODUCT files in affected Autodesk applications. The memory corruption occurs through a write access violation in CC5Dll.dll, potentially leading to full system compromise. Users of vulnerable Autodesk software are affected.

💻 Affected Systems

Products:

Autodesk Advance Steel
Autodesk Civil 3D
Autodesk Inventor
Autodesk Navisworks
Autodesk AutoCAD

Versions: 2023, 2024, and 2025 versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user interaction to open malicious CATPRODUCT files. All default installations are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution with system-level privileges, allowing complete compromise of the affected system and potential lateral movement.

🟠

Likely Case

Local privilege escalation or code execution in the context of the current user, enabling data theft, ransomware deployment, or persistence mechanisms.

🟢

If Mitigated

Limited impact through application sandboxing or restricted user permissions, potentially resulting in application crash only.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open malicious files. The vulnerability must be chained with other vulnerabilities for full code execution as noted in the description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Autodesk Security Advisory ADSK-SA-2024-0009 for specific patched versions

Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009

Restart Required: Yes

Instructions:

1. Open affected Autodesk application. 2. Navigate to Help > About > Check for Updates. 3. Install all available security updates. 4. Restart the application and system as prompted.

🔧 Temporary Workarounds

Restrict CATPRODUCT file handling

windows

Block or restrict opening of CATPRODUCT files through application settings or group policy

User awareness training

all

Train users not to open CATPRODUCT files from untrusted sources

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unauthorized binaries
Use least privilege principles and run applications with restricted user accounts

🔍 How to Verify

Check if Vulnerable:

Check Autodesk application version against affected versions listed in ADSK-SA-2024-0009

Check Version:

In Autodesk application: Help > About [Application Name]

Verify Fix Applied:

Verify application version has been updated to patched version specified in vendor advisory

📡 Detection & Monitoring

Log Indicators:

Application crashes with access violation errors
Unexpected process creation from Autodesk applications
Suspicious file operations involving CATPRODUCT files

Network Indicators:

Unusual outbound connections from Autodesk processes
File downloads of CATPRODUCT files from untrusted sources

SIEM Query:

Process Creation where (Image contains 'acad.exe' OR Image contains 'inventor.exe') AND CommandLine contains '.CATPRODUCT'

📊 Metadata

CVE ID: CVE-2024-37006

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 25, 2024

Last Updated: January 22, 2026

🔗 References

https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009 Vendor Advisory
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0009 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Advance Steel by Autodesk

Advance Steel by Autodesk

Advance Steel by Autodesk

Advance Steel by Autodesk

Autocad by Autodesk

Autocad by Autodesk

Autocad by Autodesk

Autocad by Autodesk

Autocad Architecture by Autodesk

Autocad Architecture by Autodesk

Autocad Architecture by Autodesk

Autocad Architecture by Autodesk

Autocad Electrical by Autodesk

Autocad Electrical by Autodesk

Autocad Electrical by Autodesk

Autocad Electrical by Autodesk

Autocad Map 3d by Autodesk

Autocad Map 3d by Autodesk

Autocad Map 3d by Autodesk

Autocad Map 3d by Autodesk

Autocad Mechanical by Autodesk

Autocad Mechanical by Autodesk

Autocad Mechanical by Autodesk

Autocad Mechanical by Autodesk

Autocad Mep by Autodesk

Autocad Mep by Autodesk

Autocad Mep by Autodesk

Autocad Mep by Autodesk

Autocad Plant 3d by Autodesk

Autocad Plant 3d by Autodesk

Autocad Plant 3d by Autodesk

Autocad Plant 3d by Autodesk

Civil 3d by Autodesk

Civil 3d by Autodesk

Civil 3d by Autodesk

Civil 3d by Autodesk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict CATPRODUCT file handling

User awareness training

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities