CVE-2025-10244 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 affecting Autodesk Fusion desktop application version 2602.1.25. The vulnerability arises when the application improperly handles and renders malicious HTML payloads embedded within user-controllable inputs or stored data. When the crafted payload is rendered, it executes within the context of the Fusion process, enabling an attacker to perform actions such as reading local files or executing arbitrary code. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is high (C:H, I:H), while availability is not affected (A:N). This vulnerability could be exploited by an attacker who can inject malicious HTML content into the application, potentially via shared project files, collaboration features, or imported data. Although no exploits are currently known in the wild, the vulnerability poses a significant risk due to the ability to execute code and access sensitive local files. Autodesk has not yet released a patch, so mitigation relies on defensive controls and monitoring.

The vulnerability allows attackers to execute arbitrary code and read local files within the Autodesk Fusion process context, potentially leading to data theft, intellectual property exposure, and unauthorized system manipulation. For organizations relying on Autodesk Fusion for design and engineering workflows, this could compromise sensitive design files and proprietary information. The high confidentiality and integrity impact could result in loss of trust, regulatory non-compliance, and operational disruption if attackers manipulate design data. Since the vulnerability requires user interaction and some privileges, targeted phishing or social engineering attacks could be used to exploit it. The lack of availability impact means systems remain operational but compromised. The threat is particularly critical for industries such as manufacturing, aerospace, automotive, and infrastructure where Autodesk Fusion is widely used.

Until an official patch is released, organizations should implement strict input validation and sanitization on any data imported or shared within Autodesk Fusion projects to prevent malicious HTML payloads. Restrict user privileges to the minimum necessary to reduce exploitation potential. Educate users to avoid opening untrusted project files or links that could contain malicious content. Employ endpoint detection and response (EDR) solutions to monitor for suspicious process behavior related to Autodesk Fusion. Network segmentation can limit exposure to attackers who gain initial access. Regularly back up design files and maintain version control to detect unauthorized changes. Once Autodesk releases a patch, prioritize immediate deployment. Additionally, consider disabling or restricting collaboration features that allow external content injection until the vulnerability is resolved.