CVE-2025-10900 – This CVE describes an out-of-bounds write vulne... (How to Fix)

Q: What is the severity of CVE-2025-10900?

CVE-2025-10900 has a CVSS score of 7.8 (HIGH). This CVE describes an out-of-bounds write vulnerability in Autodesk products when parsing malicious MODEL files. Attackers can exploit this to crash applications, corrupt data, or execute arbitrary code with the privileges of the current process. Users of affected Autodesk software are at risk.

📋 TL;DR

This CVE describes an out-of-bounds write vulnerability in Autodesk products when parsing malicious MODEL files. Attackers can exploit this to crash applications, corrupt data, or execute arbitrary code with the privileges of the current process. Users of affected Autodesk software are at risk.

💻 Affected Systems

Products:

Autodesk Access

Versions: Specific versions not detailed in provided references; check vendor advisory for exact ranges.

Operating Systems: Windows, macOS, Linux (if supported)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires parsing a malicious MODEL file through affected Autodesk products.

📦 What is this software?

Shared Components by Autodesk

View all CVEs affecting Shared Components →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes and denial of service affecting productivity workflows.

🟢

If Mitigated

Limited impact through application sandboxing or restricted user privileges.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction to open a malicious file; no authentication needed beyond file access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Autodesk Security Advisory ADSK-SA-2025-0024 for specific patched versions.

Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024

Restart Required: Yes

Instructions:

1. Visit the Autodesk Security Advisory URL.
2. Identify affected products and versions.
3. Update to the latest patched version via Autodesk Access or official download channels.
4. Restart the application and system if required.

🔧 Temporary Workarounds

Restrict MODEL File Handling

all

Block or limit processing of untrusted MODEL files through application policies or user training.

Use Least Privilege

all

Run Autodesk applications with restricted user privileges to limit impact of potential code execution.

🧯 If You Can't Patch

Isolate affected systems from untrusted networks and users.
Implement application allowlisting to prevent execution of malicious files.

🔍 How to Verify

Check if Vulnerable:

Check installed Autodesk product versions against the vendor advisory; if using unpatched versions, assume vulnerable.

Check Version:

Check via Autodesk Access interface or product 'About' menu; command varies by OS and product.

Verify Fix Applied:

Confirm version is updated to patched release specified in Autodesk advisory and test with safe files.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected file parsing errors in Autodesk logs

Network Indicators:

Unusual outbound connections from Autodesk processes post-file opening

SIEM Query:

Example: 'source="autodesk_logs" AND (event_id="1000" OR message="*out-of-bounds*" OR message="*access violation*")'

📊 Metadata

CVE ID: CVE-2025-10900

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.03% exploit probability (8.6th percentile)

Published: December 16, 2025

Last Updated: December 19, 2025

🔗 References

https://www.autodesk.com/products/autodesk-access/overview Product
https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10900, you might also want to check these: