CVE-2025-10899 is an out-of-bounds write vulnerability classified under CWE-787, found in Autodesk Shared Components version 2026.0. The vulnerability arises when a specially crafted MODEL file is parsed by Autodesk products utilizing these shared components. This malformed file triggers an out-of-bounds write condition, which can corrupt memory adjacent to the intended buffer. The consequences include application crashes, data corruption, or potentially arbitrary code execution within the context of the current process. The CVSS v3.1 score is 7.8, indicating high severity, with an attack vector of local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope remains unchanged (S:U), and the impact is high on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation requires a user to open a malicious MODEL file, which means social engineering or phishing could be used to deliver the payload. No public exploits are known at this time, but the vulnerability poses a significant risk due to the potential for arbitrary code execution. Autodesk Shared Components are widely used across multiple Autodesk products, which are prevalent in CAD, engineering, and design workflows. The vulnerability was reserved in September 2025 and published in December 2025, with no patches currently available, emphasizing the need for proactive mitigation.

For European organizations, the impact of CVE-2025-10899 is considerable, especially for those in sectors heavily reliant on Autodesk products such as automotive, aerospace, manufacturing, architecture, and civil engineering. Successful exploitation could lead to unauthorized code execution, allowing attackers to compromise sensitive design data, intellectual property, and potentially gain footholds within corporate networks. Data corruption or application crashes could disrupt critical design and production workflows, leading to operational downtime and financial losses. Given the high confidentiality and integrity impact, stolen or altered design files could have downstream effects on product safety and compliance. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, as attackers could use phishing or malicious file distribution campaigns targeting European employees. The absence of known exploits in the wild currently reduces immediate threat but does not preclude future active exploitation. Organizations with extensive Autodesk deployments and collaborative design environments are particularly vulnerable to supply chain or insider threat scenarios leveraging this vulnerability.

1. Monitor Autodesk’s official channels for patches addressing CVE-2025-10899 and apply them immediately upon release. 2. Until patches are available, restrict the opening of MODEL files from untrusted or unknown sources, implementing strict file validation and sandboxing where possible. 3. Employ endpoint protection solutions capable of detecting anomalous behavior related to memory corruption or code execution attempts within Autodesk processes. 4. Educate users on the risks of opening unsolicited or suspicious MODEL files, emphasizing phishing awareness and safe file handling practices. 5. Utilize application whitelisting and least privilege principles to limit the execution context of Autodesk applications, reducing the potential impact of exploitation. 6. Implement network segmentation to isolate design and engineering workstations from critical infrastructure and sensitive data repositories. 7. Conduct regular backups of design files and system states to enable recovery from potential data corruption or ransomware scenarios triggered by exploitation. 8. Consider deploying advanced memory protection techniques such as Control Flow Guard (CFG) and Data Execution Prevention (DEP) on affected systems to mitigate exploitation attempts.