CVE-2025-10900 is an out-of-bounds write vulnerability classified under CWE-787, found in Autodesk Shared Components version 2026.0. The flaw arises when a specially crafted MODEL file is parsed by certain Autodesk products, leading to memory corruption due to writing outside the intended buffer boundaries. This memory corruption can cause application crashes, data corruption, or enable an attacker to execute arbitrary code within the context of the current process. The vulnerability requires local access and user interaction (opening the malicious MODEL file), but no prior authentication or elevated privileges are necessary. The attack vector is local (AV:L), with low attack complexity (AC:L), and no privileges required (PR:N). The vulnerability affects confidentiality, integrity, and availability (all rated high), making it a critical concern for affected environments. Although no public exploits are known at this time, the potential for remote code execution through social engineering or delivery of malicious MODEL files makes it a significant threat. Autodesk Shared Components are widely used in various Autodesk design and engineering software, which are prevalent in industries such as architecture, manufacturing, and construction. The vulnerability was reserved in September 2025 and published in December 2025, with no patches currently available, emphasizing the need for immediate mitigation strategies.

The vulnerability can lead to severe consequences including arbitrary code execution, which may allow attackers to take control of affected systems, steal sensitive design data, or disrupt critical workflows. Data corruption risks threaten the integrity of design files, potentially causing costly errors or project delays. Application crashes can result in denial of service, impacting productivity. Since Autodesk products are widely used in engineering, architecture, and manufacturing sectors globally, exploitation could disrupt critical infrastructure projects and intellectual property protection. The requirement for user interaction limits remote exploitation but does not eliminate risk, especially in environments where untrusted MODEL files are exchanged. The high CVSS score (7.8) reflects the broad impact on confidentiality, integrity, and availability, making this a high-priority vulnerability for organizations relying on Autodesk software.

1. Monitor Autodesk’s official channels for patches and apply them immediately upon release. 2. Implement strict file validation and sandboxing for MODEL files before opening them in Autodesk products to detect and block malformed files. 3. Educate users about the risks of opening MODEL files from untrusted or unknown sources to reduce the likelihood of successful exploitation. 4. Employ endpoint protection solutions capable of detecting anomalous behavior indicative of exploitation attempts, such as unexpected crashes or memory corruption. 5. Restrict local user permissions to minimize the impact of potential code execution within user contexts. 6. Use application whitelisting and process isolation techniques to limit the ability of compromised Autodesk processes to affect other system components. 7. Maintain regular backups of critical design data to recover from potential data corruption or ransomware attacks leveraging this vulnerability.