CVE-2025-1651 is a heap-based buffer overflow vulnerability identified in Autodesk AutoCAD versions 2022 through 2025. The flaw exists in the way AutoCAD parses MODEL files, which are commonly used design files within the software. A malicious actor can craft a MODEL file that triggers a heap overflow during parsing, leading to memory corruption. This corruption can cause the application to crash, leak sensitive information from memory, or allow the attacker to execute arbitrary code with the privileges of the AutoCAD process. The vulnerability requires the user to open the malicious MODEL file, implying user interaction is necessary, but no prior authentication is required. The CVSS 3.1 base score is 7.8, reflecting high severity due to the potential for complete compromise of the affected system's confidentiality, integrity, and availability. The attack vector is local (AV:L), meaning the attacker must have local access or deliver the file to the user. The vulnerability is classified under CWE-122 (Heap-Based Buffer Overflow), a common and dangerous class of memory corruption bugs. No public exploits have been reported yet, but the absence of patches at the time of disclosure increases the urgency for mitigation. Autodesk has not yet released official patches, so organizations must rely on interim protective measures.

The vulnerability poses a significant risk to organizations relying on Autodesk AutoCAD for critical design and engineering workflows. Successful exploitation can lead to arbitrary code execution, enabling attackers to install malware, steal intellectual property, or disrupt operations by crashing the application. The ability to read sensitive data from memory can expose proprietary designs or confidential project information. Given AutoCAD's widespread use in industries such as manufacturing, construction, aerospace, and infrastructure, the impact can extend to critical supply chains and national infrastructure projects. The requirement for user interaction limits remote exploitation but does not eliminate risk, especially in environments where untrusted files may be received via email or file sharing. The high CVSS score indicates that the vulnerability affects confidentiality, integrity, and availability, making it a critical concern for organizations with sensitive design data or regulatory compliance requirements.

Until Autodesk releases official patches, organizations should implement several specific mitigations: 1) Enforce strict file validation and scanning policies to detect and block suspicious or untrusted MODEL files before they reach end users. 2) Educate users on the risks of opening MODEL files from unknown or untrusted sources, emphasizing caution with email attachments and downloads. 3) Employ application whitelisting and sandboxing techniques to limit the privileges of AutoCAD processes and contain potential exploitation. 4) Monitor AutoCAD process behavior for anomalies such as unexpected crashes or memory access violations that may indicate exploitation attempts. 5) Restrict local access to systems running AutoCAD to trusted personnel only, reducing the attack surface. 6) Maintain up-to-date backups of critical design files to enable recovery in case of disruption. 7) Prepare to deploy patches promptly once Autodesk releases them, and test patches in controlled environments before widespread rollout. These targeted measures go beyond generic advice by focusing on the specific attack vector and operational context of AutoCAD usage.