Login Sign Up

CVE-2025-10898

7.8 HIGH

📋 TL;DR

This CVE describes an out-of-bounds write vulnerability in Autodesk products when parsing malicious MODEL files. Attackers can exploit this to crash applications, corrupt data, or execute arbitrary code with the privileges of the current process. Users of affected Autodesk software are at risk.

💻 Affected Systems

Products:
  • Autodesk Access
Versions: Specific versions not detailed in provided references; check vendor advisory for exact ranges.
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires parsing of malicious MODEL files through affected Autodesk products.

📦 What is this software?

Shared Components by Autodesk

View all CVEs affecting Shared Components →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes and denial of service affecting productivity workflows.

🟢

If Mitigated

Limited impact through sandboxing or restricted user privileges preventing full system compromise.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction to open malicious files, but no authentication is needed once the file is processed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched versions.

Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024

Restart Required: Yes

Instructions:

1. Visit the Autodesk Trust Center advisory URL.
2. Identify affected products and versions.
3. Download and apply the latest security updates from Autodesk.
4. Restart the application or system as required.

🔧 Temporary Workarounds

Restrict MODEL file handling

all

Block or limit processing of untrusted MODEL files through application settings or group policies.

User awareness training

all

Educate users to avoid opening MODEL files from unknown or untrusted sources.

🧯 If You Can't Patch

  • Implement application whitelisting to block unauthorized Autodesk product execution.
  • Use endpoint detection and response (EDR) tools to monitor for suspicious file parsing activities.

🔍 How to Verify

Check if Vulnerable:

Check installed Autodesk product versions against the vendor advisory to see if they fall within affected ranges.

Check Version:

Varies by product; typically check 'About' or 'Help' menu in the application or use system command like 'autodesk_access --version' on command line.

Verify Fix Applied:

Confirm that Autodesk products have been updated to versions specified in the vendor advisory as patched.

📡 Detection & Monitoring

Log Indicators:

  • Application crash logs from Autodesk products
  • Unexpected file parsing errors in application logs

Network Indicators:

  • Unusual outbound connections from Autodesk processes post-file opening

SIEM Query:

Example: 'source="autodesk_logs" AND (event_type="crash" OR event_type="file_parse_error")'

📊 Metadata

CVE ID: CVE-2025-10898
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
EPSS Score: 0.03% exploit probability (8.6th percentile)
Published: December 16, 2025
Last Updated: December 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10898, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)