CVE-2025-1433

High

Published: 13 March 2025

Published

13 March 2025

Modified

19 August 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0028 51.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1433 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Autodesk Autocad. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 48.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of software flaws like this out-of-bounds read vulnerability through vendor patches.

SI-16 Memory Protection good match

prevent

Implements memory protections such as address space randomization and non-executable memory to mitigate exploitation of out-of-bounds reads for code execution or data leakage.

SI-10 Information Input Validation partial match

prevent

Requires validation of information inputs like MODEL files to detect and reject maliciously crafted files before parsing in AutoCAD.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Vulnerability in AutoCAD file parsing (MODEL) is exploited via user opening malicious file leading to RCE or memory read, directly enabling T1203 (Exploitation for Client Execution) and T1204.002 (Malicious File).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A maliciously crafted MODEL file, when parsed through Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current…

process.

Deeper analysisAI

CVE-2025-1433 is an Out-of-Bounds Read vulnerability (CWE-125) affecting Autodesk AutoCAD. The issue arises when AutoCAD parses a maliciously crafted MODEL file, potentially leading to exploitation. Published on 2025-03-13, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A local attacker with no privileges can exploit this vulnerability by tricking a user into opening a malicious MODEL file in AutoCAD, which requires user interaction. Successful exploitation allows the attacker to cause a denial-of-service crash, read sensitive data from memory, or execute arbitrary code within the context of the AutoCAD process.

Autodesk's security advisory ADSK-SA-2025-0001 addresses this vulnerability. Mitigation involves applying the latest updates, available through Autodesk support resources such as the AutoCAD and AutoCAD LT 2022 update download page, with additional context provided in the Autodesk Access product overview.

Details

CWE(s): CWE-125

Affected Products

autodesk

autocad

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad architecture

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad electrical

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad mechanical

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad mep

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad plant 3d

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

civil 3d

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

advance steel

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad map 3d

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

CVEs Like This One

CVE-2025-1428Same product: Autodesk Advance Steel

CVE-2025-1431Same product: Autodesk Advance Steel

CVE-2025-1652Same product: Autodesk Advance Steel

CVE-2025-1649Same product: Autodesk Advance Steel

CVE-2025-1430Same product: Autodesk Advance Steel

CVE-2025-1432Same product: Autodesk Advance Steel

CVE-2025-1427Same product: Autodesk Advance Steel

CVE-2025-1650Same product: Autodesk Advance Steel

CVE-2025-1429Same product: Autodesk Advance Steel

CVE-2025-1651Same product: Autodesk Advance Steel

References

https://www.autodesk.com/products/autodesk-access/overview
psirt@autodesk.com
https://www.autodesk.com/support/technical/article/caas/sfdcarticles/sfdcarticles/Where-can-I-download-the-latest-update-of-AutoCAD-AutoCAD-LT-2022.html
psirt@autodesk.com
https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0001
Vendor Advisory · psirt@autodesk.com