CVE-2025-1274 is an out-of-bounds write vulnerability classified under CWE-787, affecting Autodesk Revit versions 2023 through 2025. The flaw arises when Revit parses a maliciously crafted RCS file, which is a file format used by Revit for storing certain project data. The vulnerability allows an attacker to write data outside the intended buffer boundaries, potentially overwriting critical memory regions. This can cause the application to crash, corrupt data, or enable arbitrary code execution within the context of the Revit process. The CVSS 3.1 base score is 7.8, indicating high severity, with an attack vector of local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but user interaction is necessary (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no public exploits are known, the vulnerability poses a significant risk due to the potential for code execution and data compromise. Autodesk has not yet released patches, so mitigation currently relies on defensive measures and cautious handling of RCS files. This vulnerability is particularly critical in environments where Revit files are shared or imported from untrusted sources.

The vulnerability can lead to severe consequences for organizations using Autodesk Revit, especially those in architecture, engineering, and construction sectors where Revit is widely deployed. Successful exploitation can result in arbitrary code execution, allowing attackers to execute malicious payloads, potentially leading to system compromise, data theft, or disruption of design workflows. Data corruption could undermine the integrity of project files, causing costly delays and loss of intellectual property. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk, especially in environments where users may open files from untrusted sources or external collaborators. The high impact on confidentiality, integrity, and availability means that sensitive design data and operational continuity could be severely affected.

Organizations should implement strict controls on the handling and sharing of RCS files, including validating file sources and using sandbox environments to open untrusted files. Until patches are released by Autodesk, disabling or restricting the import of RCS files from unknown or untrusted origins can reduce exposure. Employ endpoint protection solutions capable of detecting anomalous behavior related to Revit processes. Educate users about the risks of opening files from unverified sources and enforce the principle of least privilege to limit the impact of potential exploitation. Monitor systems for crashes or unusual activity related to Revit. Once Autodesk releases patches, prioritize timely deployment across all affected versions. Additionally, consider network segmentation to isolate systems running Revit from less trusted network zones to reduce the risk of lateral movement in case of compromise.