More than 3 dozens of vulnerabilities has been identified in Autodesk software. These flaws, if exploited, could potentially allow attackers to execute arbitrary code, compromising sensitive data and disrupting operations dependent on the software.
These vulnerabilities serve as potential gateways for attackers, allowing them to execute code in the context of the current process when a user unwittingly visits a malicious page or opens a compromised file.
The vulnerabilities identified, includes CVE-2024-0446, CVE-2024-23120, CVE-2024-23121, CVE-2024-23122, CVE-2024-23123 and CVE-2024-23124, cover a spectrum of maliciously crafted files including STP, CATPART, 3DM, MODEL, SLDPRT, SLDASM, IGS, and more. These files, when parsed through Autodesk AutoCAD, can lead to dire consequences such as Out-of-Bound Writes, Stack-based Overflows, Heap-based Overflows, Memory Corruption, User-After-Free, and Dereferencing Untrusted Pointers.
Autodesk, acknowledging the gravity of these findings, has committed to issuing fixes in an upcoming release. The vulnerabilities, intricate in their nature, can lead to crashes, unauthorized reading and writing of sensitive data, and, most alarmingly, the execution of arbitrary code that could compromise the security and privacy of the operations conducted through AutoCAD.
Despite the severity, the silver lining is that these vulnerabilities require user interaction for exploitation, which somewhat mitigates the risk, reflected in a CVSS severity rating of 7.8. The Zero Day Initiative (ZDI) suggests limiting interaction with AutoCAD applications as a mitigation strategy, though this is far from a viable solution for many businesses and organizations reliant on AutoCAD for their day-to-day operations. Other interim steps include:
- Avoid using the import feature.
- Disable imports by renaming acTranslators.exe in the AutoCAD install folder. This disables imports of the following file-types: 3dm, abc, CATPart, iges, igs, model, prt, sldasm, sldprt, step, sstp, x_t
- Import files from trusted sources only.
Impacted Products
| Product | Impacted Versions |
| Autodesk AutoCAD | Version 2021 through 2024 |
| Autodesk AutoCAD Architecture | Version 2021 through 2024 |
| Autodesk AutoCAD Electrical | Version 2021 through 2024 |
| Autodesk AutoCAD Map 3D | Version 2021 through 2024 |
| Autodesk AutoCAD Mechanical | Version 2021 through 2024 |
| Autodesk AutoCAD MEP | Version 2021 through 2024 |
| Autodesk AutoCAD Plant 3D | Version 2021 through 2024 |
| Autodesk AutoCAD LT | Version 2021 through 2024 |
| Autodesk Civil 3D | Version 2021 through 2024 |
| Autodesk Advance Steel | Version 2021 through 2024 |
