CVE-2025-1660 is a classic buffer overflow vulnerability (CWE-120) identified in Autodesk Navisworks Freedom 2025. The flaw exists because the software does not properly check the size of input data when parsing DWFX files, which are design and construction document formats used in architecture, engineering, and construction workflows. A specially crafted DWFX file can cause a buffer overflow, leading to memory corruption. This memory corruption can be exploited by an attacker to execute arbitrary code with the privileges of the current user running Navisworks Freedom. The vulnerability requires that the victim open the malicious DWFX file, implying user interaction is necessary. The attack vector is local (AV:L), meaning the attacker must deliver the malicious file to the victim and convince them to open it. The vulnerability has a CVSS 3.1 base score of 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. Although no public exploits are known at this time, the nature of the vulnerability and the widespread use of Autodesk products in critical industries make this a significant risk. Autodesk has not yet released a patch, so mitigation currently relies on defensive controls and user awareness.

If exploited, this vulnerability could allow attackers to execute arbitrary code on affected systems, potentially leading to full compromise of the user's environment. This could result in unauthorized access to sensitive design and project data, disruption of business operations, and potential lateral movement within corporate networks. Given the use of Navisworks Freedom in architecture, engineering, and construction sectors, exploitation could impact project confidentiality and integrity, causing financial and reputational damage. The requirement for user interaction and local attack vector somewhat limits large-scale automated exploitation but targeted attacks against high-value organizations remain a significant concern. The vulnerability affects confidentiality, integrity, and availability equally, making it a critical risk for organizations relying on this software for project collaboration and review.

Organizations should implement strict controls on the handling and opening of DWFX files, including restricting file sources to trusted origins and educating users about the risks of opening unsolicited or unexpected files. Employ application whitelisting and sandboxing to limit the impact of potential exploitation. Monitor for unusual process behavior related to Navisworks Freedom and network activity indicative of exploitation attempts. Since no patch is currently available, consider isolating systems running Navisworks Freedom from critical network segments and limiting user privileges to reduce potential damage. Regularly check Autodesk’s security advisories for updates and apply patches promptly once released. Additionally, employ endpoint detection and response (EDR) solutions capable of detecting memory corruption and code execution anomalies.