CVE-2025-15062 is a use-after-free vulnerability classified under CWE-416 found in the Trimble SketchUp software, specifically version 25.0.660. The vulnerability arises from improper handling during the parsing of SKP files, where the software fails to verify the existence of an object before performing operations on it. This leads to a use-after-free condition, which attackers can exploit to execute arbitrary code remotely. The attack vector requires user interaction, such as opening a crafted malicious SKP file or visiting a malicious webpage that triggers the vulnerability. Successful exploitation allows an attacker to run code with the privileges of the current user, potentially leading to full system compromise. The vulnerability has a CVSS 3.0 base score of 7.8, indicating high severity, with impacts on confidentiality, integrity, and availability. Although no public exploits are known at this time, the flaw’s nature and the widespread use of SketchUp in professional environments make it a significant threat. The vulnerability was reported by ZDI (ZDI-CAN-27769) and published in early 2026. The lack of patch links suggests that a fix may still be pending or recently released. Organizations relying on SketchUp for design and modeling should be vigilant and prepare to deploy updates promptly.

For European organizations, especially those in architecture, engineering, construction, and related design fields that heavily utilize Trimble SketchUp, this vulnerability poses a significant risk. Exploitation could lead to unauthorized code execution, resulting in data breaches, intellectual property theft, or disruption of critical design workflows. The compromise of design files or systems could impact project timelines and confidentiality of sensitive client information. Given the requirement for user interaction, phishing or social engineering campaigns could be used to deliver malicious SKP files, increasing the attack surface. The high CVSS score reflects the potential for severe impact on confidentiality, integrity, and availability, which could translate into financial losses, reputational damage, and regulatory consequences under GDPR if personal data is involved. The absence of known exploits currently provides a window for proactive defense, but the risk of future exploitation remains high.

1. Monitor Trimble’s official channels and security advisories closely for patches addressing CVE-2025-15062 and apply them immediately upon release. 2. Until patches are available, restrict the opening of SKP files from untrusted or unknown sources through policy controls and endpoint security solutions. 3. Implement application whitelisting and sandboxing for SketchUp to limit the impact of potential exploitation. 4. Educate users about the risks of opening unsolicited SKP files or clicking on suspicious links, emphasizing social engineering awareness. 5. Employ network-level protections such as email filtering and web gateway controls to block malicious payloads. 6. Conduct regular backups of critical design data and verify recovery procedures to mitigate ransomware or destructive attack consequences. 7. Use endpoint detection and response (EDR) tools to identify anomalous behavior indicative of exploitation attempts. 8. Review and limit user privileges on systems running SketchUp to reduce the potential impact of a successful attack.