CVE-2025-9456 is an out-of-bounds write vulnerability classified under CWE-787 affecting Autodesk Shared Components version 2026.0. The vulnerability arises when a specially crafted SLDPRT file is parsed by Autodesk software, causing memory corruption due to improper bounds checking. This memory corruption can be exploited by an attacker to execute arbitrary code within the context of the current process, potentially allowing full compromise of the affected application. The vulnerability requires the victim to open a malicious file, implying user interaction is necessary, but does not require elevated privileges or prior authentication. The CVSS v3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. Although no public exploits have been reported yet, the nature of the vulnerability suggests that once weaponized, it could be used for targeted attacks or malware delivery. Autodesk Shared Components are widely used across various Autodesk CAD products, making this a significant risk for organizations relying on these tools for design and engineering workflows. The vulnerability was reserved in August 2025 and published in December 2025, indicating recent discovery and disclosure. No patches were listed at the time of this report, so users must monitor Autodesk advisories closely.

The potential impact of CVE-2025-9456 is substantial for organizations using Autodesk products, particularly in sectors such as manufacturing, architecture, engineering, and construction where CAD tools are integral. Successful exploitation could lead to arbitrary code execution, enabling attackers to install malware, steal sensitive design data, disrupt workflows, or pivot within internal networks. The compromise of design files or intellectual property could have severe financial and reputational consequences. Additionally, disruption of CAD software availability could delay critical projects. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to deliver malicious SLDPRT files. The lack of required privileges lowers the barrier for exploitation once a user opens the file. Given the widespread use of Autodesk software globally, the scope of affected systems is broad, increasing the risk of targeted attacks against high-value organizations.

To mitigate CVE-2025-9456, organizations should implement the following specific measures: 1) Restrict the sources of SLDPRT files by enforcing strict file sharing policies and validating files before opening. 2) Employ application whitelisting and sandboxing to limit the execution context of Autodesk applications, reducing the impact of potential exploits. 3) Educate users on the risks of opening files from untrusted sources and implement email filtering to block suspicious attachments. 4) Monitor Autodesk vendor advisories closely and apply patches immediately once available. 5) Use endpoint detection and response (EDR) solutions to detect anomalous behavior related to memory corruption or code execution within Autodesk processes. 6) Consider network segmentation to isolate systems running Autodesk software from critical infrastructure to limit lateral movement. 7) Regularly back up design files and maintain version control to recover from potential compromises. These targeted actions go beyond generic advice by focusing on the specific attack vector and operational context of the vulnerability.