CVE-2025-1428

High

Published: 13 March 2025

Published

13 March 2025

Modified

19 August 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0038 59.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1428 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Autodesk Autocad. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 40.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of known flaws like this AutoCAD out-of-bounds read vulnerability through vendor patches provided in Autodesk advisory ADSK-SA-2025-0001.

SI-16 Memory Protection good match

prevent

Implements memory safeguards such as address space layout randomization and non-executable memory to mitigate out-of-bounds reads that could lead to information disclosure or code execution.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection mechanisms on endpoints to scan and potentially block or detect maliciously crafted CATPART files before they trigger the vulnerability in AutoCAD.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a client-side file parsing flaw in AutoCAD allowing arbitrary code execution when a user opens a malicious CATPART file, directly enabling T1203 (Exploitation for Client Execution) and T1204.002 (Malicious File under User Execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A maliciously crafted CATPART file, when parsed through Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current…

process.

Deeper analysisAI

CVE-2025-1428 is an Out-of-Bounds Read vulnerability (CWE-125) in Autodesk AutoCAD, triggered by parsing a maliciously crafted CATPART file. Published on 2025-03-13, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The flaw occurs during file processing, allowing potential exploitation within the application's context.

A local attacker with no privileges can exploit this vulnerability by tricking a user into opening a specially crafted CATPART file through AutoCAD, requiring user interaction. Successful exploitation enables the attacker to cause application crashes (high availability impact), read sensitive data from memory (high confidentiality impact), or execute arbitrary code (high integrity impact) in the context of the current process.

Autodesk has addressed this issue in security advisory ADSK-SA-2025-0001, available at https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0001. Mitigation involves applying the latest updates for AutoCAD, with download instructions provided at https://www.autodesk.com/support/technical/article/caas/sfdcarticles/sfdcarticles/Where-can-I-download-the-latest-update-of-AutoCAD-AutoCAD-LT-2022.html. Additional context on Autodesk Access is at https://www.autodesk.com/products/autodesk-access/overview.

Details

CWE(s): CWE-125

Affected Products

autodesk

autocad

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad architecture

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad electrical

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad mechanical

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad mep

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad plant 3d

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

civil 3d

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

advance steel

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad map 3d

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

CVEs Like This One

CVE-2025-1433Same product: Autodesk Advance Steel

CVE-2025-1431Same product: Autodesk Advance Steel

CVE-2025-1652Same product: Autodesk Advance Steel

CVE-2025-1649Same product: Autodesk Advance Steel

CVE-2025-1430Same product: Autodesk Advance Steel

CVE-2025-1432Same product: Autodesk Advance Steel

CVE-2025-1427Same product: Autodesk Advance Steel

CVE-2025-1650Same product: Autodesk Advance Steel

CVE-2025-1429Same product: Autodesk Advance Steel

CVE-2025-1651Same product: Autodesk Advance Steel

References

https://www.autodesk.com/products/autodesk-access/overview
psirt@autodesk.com
https://www.autodesk.com/support/technical/article/caas/sfdcarticles/sfdcarticles/Where-can-I-download-the-latest-update-of-AutoCAD-AutoCAD-LT-2022.html
psirt@autodesk.com
https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0001
Vendor Advisory · psirt@autodesk.com