CVE-2025-9460 is an out-of-bounds read vulnerability classified under CWE-125, discovered in Autodesk Shared Components version 2026.0. The vulnerability is triggered when a maliciously crafted SLDPRT file is parsed by Autodesk products relying on these shared components. The flaw allows an attacker to read memory beyond the intended buffer boundaries, which can lead to application crashes, leakage of sensitive information, or even arbitrary code execution within the context of the affected process. The vulnerability requires local access and user interaction, as the user must open or import the malicious SLDPRT file. No privileges are required, making it accessible to any user with access to the Autodesk software. The CVSS v3.1 score is 7.8 (high), with attack vector local, low attack complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild yet, the potential for exploitation is significant given the ability to execute code or leak sensitive data. The vulnerability affects Autodesk’s 2026.0 release of Shared Components, which are widely used across Autodesk’s CAD and design software suite. This shared component is integral to handling SLDPRT files, a common file format in 3D modeling and design workflows. The vulnerability was reserved in August 2025 and published in December 2025, indicating a recent discovery and disclosure. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts to reduce exposure.

For European organizations, especially those in manufacturing, automotive, aerospace, architecture, and engineering sectors that heavily rely on Autodesk products, this vulnerability poses a serious risk. Exploitation could lead to unauthorized disclosure of intellectual property or sensitive design data, potentially resulting in competitive disadvantage or regulatory compliance issues under GDPR if personal data is involved. The ability to execute arbitrary code could allow attackers to establish persistence, move laterally within networks, or deploy ransomware and other malware, disrupting critical design and production workflows. The local attack vector and requirement for user interaction mean that social engineering or insider threats could facilitate exploitation. Given the widespread use of Autodesk software in European industrial and design hubs, the operational impact could be significant, affecting availability of design tools and causing financial and reputational damage. Additionally, disruption in design and manufacturing processes could have downstream effects on supply chains and product delivery timelines.

Organizations should immediately implement the following specific mitigations: 1) Monitor Autodesk’s official channels for patches addressing CVE-2025-9460 and prioritize rapid deployment once available. 2) Restrict the opening of SLDPRT files to trusted sources only, employing strict file validation and sandboxing where possible. 3) Educate users on the risks of opening untrusted or unsolicited design files to reduce the likelihood of social engineering exploitation. 4) Employ application whitelisting and endpoint protection solutions capable of detecting anomalous behavior related to Autodesk processes. 5) Use network segmentation to limit the spread of potential compromise from affected workstations. 6) Implement robust logging and monitoring to detect crashes or unusual Autodesk application activity that could indicate exploitation attempts. 7) Consider disabling or limiting features that automatically parse or preview SLDPRT files in email clients or file explorers to reduce attack surface. 8) Conduct regular backups of critical design data to enable recovery in case of disruption. These steps go beyond generic advice by focusing on controlling file sources, user behavior, and monitoring Autodesk-specific application activity.