CVE-2024-9723 is a use-after-free vulnerability classified under CWE-416 affecting Trimble SketchUp Viewer, specifically version 22.0.316.0. The vulnerability exists in the SKP file parsing component, where the software fails to verify the existence of an object before performing operations on it. This improper validation leads to a use-after-free condition, a memory corruption issue that can be exploited by remote attackers. Exploitation requires user interaction, such as opening a malicious SKP file or visiting a malicious webpage that triggers the vulnerable code path. Successful exploitation allows attackers to execute arbitrary code with the privileges of the current user running SketchUp Viewer. The vulnerability has a CVSS 3.0 base score of 7.8, indicating high severity, with impacts on confidentiality, integrity, and availability. The attack vector is local (AV:L) requiring user interaction (UI:R), no privileges are needed (PR:N), and the scope is unchanged (S:U). Although no public exploits are known at this time, the vulnerability was reported by the Zero Day Initiative (ZDI) and is publicly disclosed, emphasizing the need for timely mitigation. The lack of patch links suggests a patch may not yet be available, increasing the urgency for interim protective measures.

The vulnerability allows remote attackers to execute arbitrary code within the context of the SketchUp Viewer process, potentially leading to full compromise of the affected system depending on user privileges. This can result in unauthorized access to sensitive design files, manipulation or deletion of data, installation of malware, or disruption of business operations. Given SketchUp Viewer's use in architecture, engineering, and construction industries, exploitation could lead to intellectual property theft or sabotage of critical design projects. The requirement for user interaction limits mass exploitation but targeted attacks against organizations using SketchUp Viewer remain a significant risk. The high CVSS score reflects the potential for severe confidentiality, integrity, and availability impacts if exploited successfully.

Organizations should monitor Trimble's official channels for patches addressing CVE-2024-9723 and apply updates promptly once available. Until a patch is released, restrict the opening of SKP files from untrusted or unknown sources and educate users about the risks of opening files or links from unverified origins. Employ application whitelisting and sandboxing techniques to limit the execution context of SketchUp Viewer and reduce the impact of potential exploitation. Network-level protections such as blocking access to malicious websites and scanning inbound files for malicious content can further reduce risk. Additionally, implement endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of exploitation attempts. Regular backups of critical design files should be maintained to ensure recovery in case of compromise.