CVE-2025-1650

High

Published: 13 March 2025

Published

13 March 2025

Modified

19 August 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0025 48.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1650 is a high-severity Use of Uninitialized Variable (CWE-457) vulnerability in Autodesk Autocad. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 48.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely application of Autodesk patches directly remediates the uninitialized variable vulnerability in AutoCAD, preventing exploitation via malicious CATPRODUCT files.

SI-16 Memory Protection partial match

prevent

Memory protection safeguards like ASLR and DEP mitigate arbitrary code execution and sensitive data disclosure from improper handling of uninitialized variables during file parsing.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning identifies deployed AutoCAD versions affected by this uninitialized variable flaw, enabling proactive patching and risk reduction.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Vulnerability in CATPRODUCT file parsing enables client-side exploitation for arbitrary code execution (or memory read/crash) when user opens malicious file.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A maliciously crafted CATPRODUCT file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current…

process.

Deeper analysisAI

CVE-2025-1650, published on 2025-03-13, is an Uninitialized Variable vulnerability (CWE-457, CWE-908) affecting Autodesk AutoCAD. The issue arises when the software parses a maliciously crafted CATPRODUCT file, leading to improper handling of uninitialized variables within the application.

Attackers with local access can exploit this vulnerability with low complexity and no required privileges, though it requires user interaction such as opening the malicious file. Successful exploitation enables the attacker to crash the AutoCAD process, read sensitive data from memory, or execute arbitrary code in the context of the current process, earning a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Autodesk's security advisory (adsk-sa-2025-0001) addresses this vulnerability, with mitigation available through the latest software updates. Users can download patches for affected versions, including AutoCAD and AutoCAD LT 2022, via official support channels.

Details

CWE(s): CWE-457 CWE-908

Affected Products

autodesk

autocad

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad architecture

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad electrical

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad mechanical

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad mep

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad plant 3d

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

civil 3d

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

advance steel

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

autodesk

autocad map 3d

2022 — 2022.1.6 · 2023 — 2023.1.7 · 2024 — 2024.1.7

CVEs Like This One

CVE-2025-1649Same product: Autodesk Advance Steel

CVE-2025-1427Same product: Autodesk Advance Steel

CVE-2025-1428Same product: Autodesk Advance Steel

CVE-2025-1430Same product: Autodesk Advance Steel

CVE-2025-1432Same product: Autodesk Advance Steel

CVE-2025-1429Same product: Autodesk Advance Steel

CVE-2025-1433Same product: Autodesk Advance Steel

CVE-2025-1431Same product: Autodesk Advance Steel

CVE-2025-1652Same product: Autodesk Advance Steel

CVE-2025-1651Same product: Autodesk Advance Steel

References

https://www.autodesk.com/products/autodesk-access/overview
psirt@autodesk.com
https://www.autodesk.com/support/technical/article/caas/sfdcarticles/sfdcarticles/Where-can-I-download-the-latest-update-of-AutoCAD-AutoCAD-LT-2022.html
psirt@autodesk.com
https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0001
Vendor Advisory · psirt@autodesk.com