CVE-2025-9460 is an out-of-bounds read vulnerability classified under CWE-125, found in Autodesk Shared Components version 2026.0. The vulnerability is triggered when the software parses a maliciously crafted SLDPRT file, a common file format used in Autodesk CAD products. This out-of-bounds read can lead to multiple adverse effects: application crashes (denial of service), unauthorized reading of sensitive memory contents (confidentiality breach), and potentially arbitrary code execution within the context of the affected process (integrity and availability compromise). The attack vector requires local access and user interaction, as the victim must open the malicious file. The vulnerability does not require elevated privileges, increasing its risk profile. While no public exploits have been reported yet, the nature of the vulnerability and the widespread use of Autodesk products in professional environments make it a significant threat. The CVSS 3.1 base score of 7.8 reflects a high severity, with the vector indicating low attack complexity, no privileges required, but user interaction needed. The vulnerability affects the core shared components, implying that multiple Autodesk products relying on these components could be impacted. This increases the potential attack surface, especially in environments where CAD files are frequently exchanged. The vulnerability was reserved in August 2025 and published in December 2025, with no patches currently available, highlighting the urgency for affected organizations to prepare mitigations.

For European organizations, the impact of CVE-2025-9460 is significant due to the widespread use of Autodesk products in critical sectors such as automotive, aerospace, manufacturing, construction, and engineering. A successful exploit could lead to unauthorized disclosure of intellectual property embedded in CAD files, disruption of design workflows through application crashes, and potential system compromise if arbitrary code execution is achieved. This could result in operational downtime, loss of competitive advantage, and exposure of sensitive design data. The requirement for user interaction means phishing or social engineering could be used to deliver malicious files, increasing risk in collaborative and supply chain environments common in Europe. The high confidentiality and integrity impact is particularly concerning for organizations handling sensitive or proprietary designs. Additionally, availability impacts from crashes could delay project timelines and increase costs. Given the lack of patches at publication, organizations face a window of exposure that could be exploited once proof-of-concept or weaponized exploits emerge.

1. Monitor Autodesk’s official channels for patches and apply them immediately upon release. 2. Until patches are available, restrict the opening of SLDPRT files from untrusted or unknown sources, especially via email or external file shares. 3. Implement application whitelisting and sandboxing to limit the impact of potential exploitation by isolating Autodesk applications. 4. Educate users on the risks of opening unsolicited or unexpected CAD files and enforce strict file handling policies. 5. Employ endpoint detection and response (EDR) solutions to monitor for anomalous behavior indicative of exploitation attempts, such as unexpected crashes or memory access patterns. 6. Use network segmentation to limit the spread of any compromise originating from affected systems. 7. Conduct regular backups of critical design data to enable recovery in case of disruption. 8. Collaborate with supply chain partners to ensure secure file exchange practices and awareness of this vulnerability.