Cyber Posture

CVE-2025-1427

High

Published: 13 March 2025

Published
13 March 2025
Modified
19 August 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An adversary may rely upon a user opening a malicious file in order to gain execution.

Security Summary

CVE-2025-1427, published on 2025-03-13, is an uninitialized variable vulnerability (CWE-457, CWE-908) affecting Autodesk AutoCAD. The issue arises when AutoCAD parses a maliciously crafted CATPRODUCT file, leading to potential exploitation. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high confidentiality, integrity, and availability impacts.

A local attacker with low complexity can exploit this vulnerability by tricking a user into opening a malicious CATPRODUCT file within AutoCAD, requiring no privileges but necessitating user interaction. Successful exploitation enables the attacker to crash the application, read sensitive data from memory, or execute arbitrary code in the context of the AutoCAD process.

Autodesk has published security advisory ADSK-SA-2025-0001 addressing this issue. Mitigation involves applying the latest updates for AutoCAD, available through Autodesk's support resources, such as the update download page for AutoCAD and AutoCAD LT 2022. Additional details are provided in Autodesk Access product overview.

Details

CWE(s)
CWE-457CWE-908

Affected Products

autodesk
autocad
2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7
autodesk
autocad architecture
2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7
autodesk
autocad electrical
2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7
autodesk
autocad mechanical
2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7
autodesk
autocad mep
2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7
autodesk
autocad plant 3d
2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7
autodesk
civil 3d
2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7
autodesk
advance steel
2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7
autodesk
autocad map 3d
2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

MITRE ATT&CK Enterprise Techniques

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

The vulnerability is a client-side memory issue in AutoCAD triggered by parsing a malicious CATPRODUCT file, directly enabling exploitation for client execution (T1203) via user opening of a malicious file (T1204.002) to achieve arbitrary code execution or memory disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References