CVE-2025-9460 is an out-of-bounds read vulnerability classified under CWE-125, found in Autodesk Shared Components version 2026.0. The vulnerability arises when a maliciously crafted SLDPRT file is parsed by Autodesk products utilizing these shared components. An out-of-bounds read occurs when the software reads memory outside the bounds of a buffer, which can lead to application instability or crashes. More critically, this vulnerability can be exploited to leak sensitive information from memory or enable arbitrary code execution within the context of the affected process. The attack vector requires local access (AV:L) and user interaction (UI:R), but no privileges (PR:N) are necessary, making it accessible to a user who can open or import a malicious SLDPRT file. The vulnerability impacts confidentiality, integrity, and availability, as it can disclose sensitive data, corrupt process state, or cause denial of service. The CVSS 3.1 base score is 7.8, indicating high severity, with low attack complexity and no privileges required but user interaction needed. No patches or exploits are currently publicly available, but the vulnerability is officially published and reserved since August 2025. Autodesk Shared Components are widely used across Autodesk’s CAD and design software suite, making this vulnerability relevant to many users and organizations relying on these tools for design and engineering workflows.

The potential impact of CVE-2025-9460 is significant for organizations worldwide that use Autodesk products incorporating the affected shared components. Successful exploitation can lead to application crashes, resulting in denial of service and disruption of critical design and engineering operations. More severe consequences include unauthorized disclosure of sensitive intellectual property or design data, which can have financial and competitive repercussions. Arbitrary code execution could allow attackers to escalate privileges, move laterally within networks, or deploy malware, thereby compromising broader organizational security. Industries such as manufacturing, architecture, engineering, and construction, which heavily rely on Autodesk CAD tools, are particularly vulnerable. The requirement for user interaction limits remote exploitation but does not eliminate risk, especially in environments where users frequently exchange design files. The absence of known exploits in the wild currently reduces immediate threat but does not preclude future exploitation once proof-of-concept code or weaponized attacks emerge.

To mitigate CVE-2025-9460, organizations should implement the following specific measures: 1) Restrict the opening or importing of SLDPRT files from untrusted or unknown sources, employing strict file validation and sandboxing where possible. 2) Educate users about the risks of opening files from unverified origins and encourage vigilance against suspicious files. 3) Monitor Autodesk application logs and system behavior for unusual crashes or memory access violations that could indicate exploitation attempts. 4) Employ endpoint detection and response (EDR) tools to detect anomalous process behavior related to Autodesk software. 5) Once Autodesk releases a security patch or update addressing this vulnerability, prioritize its deployment across all affected systems. 6) Consider network segmentation to isolate systems running Autodesk software from critical infrastructure to limit lateral movement in case of compromise. 7) Maintain regular backups of critical design data to enable recovery from potential denial-of-service or ransomware attacks stemming from exploitation. These steps go beyond generic advice by focusing on file handling policies, user awareness, and proactive monitoring tailored to the nature of this vulnerability.