CVE-2024-9720 is an out-of-bounds read vulnerability classified under CWE-125 found in Trimble SketchUp Viewer version 22.0.316.0. The issue occurs during the parsing of SKP files, the native file format for SketchUp models. The root cause is insufficient validation of user-supplied data within the file parsing logic, which allows an attacker to read memory beyond the intended buffer boundaries. This memory corruption can be leveraged to execute arbitrary code remotely in the context of the current user process. Exploitation requires user interaction, such as opening a malicious SKP file or visiting a malicious webpage that triggers the vulnerable parsing code. The vulnerability has a CVSS v3.0 base score of 7.8, indicating high severity, with attack vector local (requiring user action), low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. Although no exploits are currently known in the wild, the potential for remote code execution makes this a significant risk. The vulnerability was reported by the Zero Day Initiative (ZDI) as ZDI-CAN-24104 and publicly disclosed on November 22, 2024. No official patches have been linked yet, so users must monitor vendor updates closely.

The vulnerability allows remote attackers to execute arbitrary code on affected systems, potentially leading to full compromise of the user environment where SketchUp Viewer is installed. This can result in unauthorized access to sensitive data, modification or deletion of files, installation of malware, or disruption of services. Since the exploit requires user interaction, social engineering or phishing campaigns could be used to deliver malicious SKP files or lure users to compromised websites. Organizations using SketchUp Viewer for architectural, engineering, or design workflows may face operational disruptions and intellectual property theft. The broad impact on confidentiality, integrity, and availability elevates the risk, especially in environments where SketchUp Viewer is widely deployed or integrated into critical workflows.

Users and organizations should immediately restrict the use of SketchUp Viewer version 22.0.316.0 until an official patch is released by Trimble. Avoid opening SKP files from untrusted or unknown sources and be cautious of unsolicited links or attachments that could trigger the vulnerability. Employ endpoint protection solutions capable of detecting anomalous behavior related to code execution from user applications. Network-level controls such as web filtering and email gateway protections can help block malicious payload delivery. Implement application whitelisting to limit execution of unauthorized code. Monitor for unusual process activity and maintain regular backups to enable recovery in case of compromise. Stay informed via Trimble’s official channels for security updates and apply patches promptly once available.