CVE-2025-9455 is an out-of-bounds read vulnerability classified under CWE-125, affecting Autodesk Shared Components version 2026.0. The vulnerability arises when the software parses a maliciously crafted CATPRODUCT file, a file format commonly used in CAD environments for product structure data. This out-of-bounds read can lead to memory corruption, which attackers can leverage to cause application crashes (denial of service), leak sensitive information from memory, or execute arbitrary code with the privileges of the current user process. The vulnerability requires user interaction, specifically opening or processing the crafted CATPRODUCT file, but does not require prior authentication or elevated privileges. The CVSS v3.1 base score is 7.8, reflecting high severity due to the potential for confidentiality, integrity, and availability impacts. Although no public exploits have been reported yet, the vulnerability's characteristics make it a significant risk for environments using Autodesk products, especially in design and manufacturing sectors. The lack of available patches at the time of reporting necessitates immediate attention to mitigate exposure. Autodesk Shared Components are integral to multiple Autodesk applications, increasing the scope of affected systems. The vulnerability's exploitation vector is local or network-based if files are received via email or shared drives, emphasizing the importance of secure file handling and user awareness.

The impact of CVE-2025-9455 is substantial for organizations relying on Autodesk Shared Components, particularly in industries such as manufacturing, automotive, aerospace, and architecture where CAD software is critical. Successful exploitation can lead to unauthorized disclosure of sensitive design data, intellectual property theft, and disruption of engineering workflows through application crashes. Arbitrary code execution could allow attackers to install malware, move laterally within networks, or escalate privileges if combined with other vulnerabilities. This could result in operational downtime, financial losses, and reputational damage. The vulnerability affects confidentiality, integrity, and availability, making it a comprehensive threat. Given the widespread use of Autodesk products globally, the potential scale of impact is large, especially in organizations with less mature cybersecurity controls or those that frequently exchange CAD files with external partners. The requirement for user interaction means social engineering or phishing could be used to deliver the malicious CATPRODUCT files, increasing the attack surface.

1. Monitor Autodesk’s official channels for patches addressing CVE-2025-9455 and apply them immediately upon release. 2. Until patches are available, restrict the opening of CATPRODUCT files from untrusted or unknown sources. 3. Implement file scanning and sandboxing solutions to analyze CATPRODUCT files before they reach end users. 4. Educate users, especially engineers and designers, about the risks of opening unsolicited or suspicious CAD files. 5. Employ application whitelisting and endpoint detection and response (EDR) tools to detect anomalous behavior related to Autodesk applications. 6. Use network segmentation to limit the spread of potential compromise originating from affected systems. 7. Regularly back up critical design data and verify the integrity of backups to ensure recovery capability in case of exploitation. 8. Consider disabling or limiting features in Autodesk Shared Components that automatically parse or preview CATPRODUCT files if feasible. 9. Maintain up-to-date antivirus and endpoint protection solutions capable of detecting exploitation attempts. 10. Review and tighten access controls around shared drives and email gateways to reduce the risk of malicious file delivery.