CVE-2025-10888 – This CVE describes an out-of-bounds write vulne... (How to Fix)

Q: What is the severity of CVE-2025-10888?

CVE-2025-10888 has a CVSS score of 7.8 (HIGH). This CVE describes an out-of-bounds write vulnerability in Autodesk products when parsing malicious MODEL files. Attackers can exploit this to crash applications, corrupt data, or execute arbitrary code with the privileges of the current process. Users of affected Autodesk software are at risk.

📋 TL;DR

This CVE describes an out-of-bounds write vulnerability in Autodesk products when parsing malicious MODEL files. Attackers can exploit this to crash applications, corrupt data, or execute arbitrary code with the privileges of the current process. Users of affected Autodesk software are at risk.

💻 Affected Systems

Products:

Autodesk Access
Other Autodesk products mentioned in advisory

Versions: Specific versions listed in Autodesk Security Advisory ADSK-SA-2025-0024

Operating Systems: Windows, macOS, Linux where applicable

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when processing specially crafted MODEL files through affected Autodesk applications.

📦 What is this software?

Shared Components by Autodesk

View all CVEs affecting Shared Components →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes and denial of service affecting productivity workflows.

🟢

If Mitigated

Limited impact with proper network segmentation and file validation controls.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction to open malicious files, but no authentication is needed once file is processed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions specified in Autodesk Security Advisory ADSK-SA-2025-0024

Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024

Restart Required: Yes

Instructions:

1. Review Autodesk Security Advisory ADSK-SA-2025-0024
2. Identify affected products and versions in your environment
3. Download and install the latest patched versions from Autodesk
4. Restart systems after installation
5. Verify patch installation through version checks

🔧 Temporary Workarounds

Restrict MODEL file processing

all

Block or restrict processing of untrusted MODEL files through affected Autodesk applications

Application control policies

windows

Implement application whitelisting to prevent unauthorized Autodesk application execution

🧯 If You Can't Patch

Implement network segmentation to isolate Autodesk systems from critical assets
Deploy endpoint detection and response (EDR) solutions to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check installed Autodesk product versions against vulnerable versions listed in ADSK-SA-2025-0024

Check Version:

Check through Autodesk product 'About' dialog or system information panels

Verify Fix Applied:

Verify installed version matches or exceeds patched versions specified in the advisory

📡 Detection & Monitoring

Log Indicators:

Application crashes in Autodesk products
Unusual file processing errors
Memory access violation logs

Network Indicators:

Unusual outbound connections from Autodesk processes
File downloads followed by application crashes

SIEM Query:

source="autodesk" AND (event_type="crash" OR error="access_violation")

📊 Metadata

CVE ID: CVE-2025-10888

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.03% exploit probability (8.6th percentile)

Published: December 16, 2025

Last Updated: December 19, 2025

🔗 References

https://www.autodesk.com/products/autodesk-access/overview Product
https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10888, you might also want to check these: