CVE-2025-9455 is an out-of-bounds read vulnerability classified under CWE-125 affecting Autodesk Shared Components version 2026.0. The vulnerability arises when the software parses a specially crafted CATPRODUCT file, which is a file format used by Autodesk to represent product assemblies in CAD workflows. The out-of-bounds read can lead to memory corruption, enabling an attacker to cause a denial-of-service (application crash), leak sensitive information from memory, or potentially execute arbitrary code within the context of the running Autodesk process. The CVSS 3.1 base score is 7.8, indicating high severity, with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This means exploitation requires local access (local attack vector), low attack complexity, no privileges, but user interaction is necessary (the user must open or process the malicious CATPRODUCT file). The vulnerability impacts confidentiality, integrity, and availability, as it can lead to data disclosure, code execution, and service disruption. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be considered a significant risk for environments using Autodesk Shared Components. The vulnerability is particularly relevant for organizations relying on Autodesk CAD tools for product design and manufacturing workflows.

For European organizations, especially those in manufacturing, automotive, aerospace, and engineering sectors that heavily rely on Autodesk CAD products, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of intellectual property, design documents, and sensitive project data, impacting confidentiality. The ability to execute arbitrary code could allow attackers to move laterally within networks or deploy ransomware, affecting integrity and availability. Disruption of design workflows due to crashes can cause operational delays and financial losses. Since exploitation requires user interaction, phishing or social engineering could be used to deliver malicious CATPRODUCT files. The impact is heightened in organizations with less mature endpoint security or where Autodesk products are widely deployed without strict file handling policies. The vulnerability could also affect supply chain partners and contractors using Autodesk tools, increasing the attack surface.

Organizations should implement a multi-layered approach to mitigate this vulnerability. First, monitor Autodesk’s official channels for patches or updates addressing CVE-2025-9455 and apply them promptly once released. Until patches are available, restrict the opening of CATPRODUCT files from untrusted or external sources, employing file integrity monitoring and sandboxing techniques. Educate users on the risks of opening unsolicited or suspicious CAD files, emphasizing cautious handling of CATPRODUCT files. Employ endpoint protection solutions capable of detecting anomalous behavior related to Autodesk processes. Network segmentation can limit the spread of potential exploitation. Additionally, implement strict access controls and least privilege principles for users handling CAD files. Regularly back up critical design data and verify restoration processes to minimize impact from potential ransomware or data corruption. Finally, conduct threat hunting and monitoring for unusual Autodesk application crashes or memory access anomalies.